1
Using Digital Forensics in Financial Institutes as a Tool to Combat
Criminal Activities
January 18, 2021
Student:
Course:
Mick Roché
Literature Thesis Forensic Science
UvA ID: 10739416
Master’s Programme:
Course code:
Forensic Science
5274LTFS5Y
Supervisor:
Examiner:
Jill Coster van Voorhout
Zeno Geradts
Number of words:
2
Content Table 1. Abstract 2. Introduction 3. Studied Literature
1. Different Methods to Analyse Suspicious Activity
2. Strengthening the Value of Suspicious Activities as Intelligence 3. Efficiently Using the Intelligence
4. Discussion
5. Conclusion and Future Recommendations 6. Acknowledgements 7. References 8. Appendix 1. Search strategy 1. Core Articles 2. Search Terms
3. Inclusion and Exclusion Criteria 2. Abbreviations
3
1. Abstract
Digital forensics is a field of expertise which has been rapidly developing the past few decades. Unfortunately, this development has not only been for the better. Criminals have been using the possibilities of technological tools to remain hidden in the shadows of the vast, often international traffic of financial institutions. Crimes like money laundering, human trafficking and terrorist financing are low-risk and money driven, making them one of the most profitable crimes of this time. That is why financial institutions are becoming increasingly responsible for playing a role as a gatekeeper in order to combat these financial and high-impact crimes by using internal controls. This review looks at the possibilities of using digital forensics within financial institutions to analyse suspicious transactions and evaluates how to use this data as intelligence in investigating casework. It does so by reviewing proposed methods by experts and trying to determine which method could be used most efficiently, and by setting out considerations which should be taken into account when trying to maximize the value of the data for intelligence and how to handle it efficiently within financial institutions. The findings of the author are that a cluster based machine-learning technique, in combination with a Bayesian paradigm and a data visualization technique are needed in order to maximize detection of criminal activity without the risk of overreporting. By reporting these suspicious activities in combination with soft data from internal financial customer policies, intelligence is most efficiently used to combat criminal activity. In order for this to be implemented, proper training on digital forensic methodology is required within financial institutions, and a universally applicable method is recommended.
Keywords: Digital Forensics, Money Laundering, Financial Institutions, Machine-learning, Suspicious
Activity.
2. Introduction
With the introduction of Digital Forensics (DF) a relatively new, rapidly developing tool has been added to the ever-expanding toolbox of the forensic scientist. DF can be used to identify, collect, analyse, interpret and present a large variety of pieces of digital evidence. There are four phases in a digital forensics investigation: acquisition of evidence, examination of retrieved evidence, the analysis of the evidence, and the presentation of the evidence (1). Every phase is important for its own reasons, and they all play an important role in the process of going from an investigation into court. DF is very similar to classic forensic science in numerous ways. The acquisition of traces relies heavily on Locard’s Principle, which states that every contact leaves a trace (2). In the digital world, trace evidence is not left in the form of DNA or a fingerprint, but in the sense that every action undertaken by a perpetrator leaves a record of that action, which may be used to reconstruct the activities of the perpetrator. Criminal event reconstruction is performed in the analysis process, where DF experts evaluate a set of hypotheses based on the alleged crime and the retrieved evidence (3). After analysing the digital evidence, it is the job of a DF expert to present the information which may constitute evidence in an impartial way so as to prove or refute the hypotheses that were proposed in the analysis phase of the investigation. Besides having similarities with traditional forensics, DF can differ immensely from it. Contrary to traditional forensics, it is possible to make exact copies of evidence in DF, the amount of data quickly becomes enormous in a DF investigation, and digital crimes easily transgress national borders (2).
The rapid development of technology has also been used for malicious activity, and cybercrime has been a rapidly upcoming threat to, among other things, the international economy, the psychological wellbeing of people and (inter)national security (4). One sector in particular, the banking sector, has proven very useful for criminals. The anonymity and vastness of the financial traffic system has allowed criminals to commit a variety of crimes, such as money laundering (ML), terrorism financing (TF),
4
human trafficking (HT), tax evasion, illicit drug trafficking and more (5). This paper will focus on ML, TF and HT, therefore any mention of criminal activity will be considered to include just those type of crimes.
In 1989 the Financial Action Task Force (FATF) was founded with the aim to provide countries and institutions with a set of legal, regulatory and operational recommendations to combat all crimes related to the integrity of the international financial system (6). They determined the need to identify and combat the abuse of financial institutions by criminals, having led to some of the most profitable crimes of these days, with crimes like ML, TF and HT being very low-risk, money-driven offences (7). Even though the FATF recognizes that due to the different legal and financial frameworks between different countries not all countries can adopt the recommendations in a similar way, the task force has been criticised for not being able to provide a standardized process, or a well-defined strategy to achieve its aim (8). One of the FATF recommendations that could easily be implemented in its basic form is number 20, which states that when “a financial institution suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity, or are related to terrorist financing, it should be required, by law, to report promptly its suspicions to the financial intelligence unit (FIU)” (6). However, the way this is implemented differs per country: in the Netherlands banks are only required to report unusual transactions (UTs) (7), in the United Kingdom the law requires financial institutions to report behaviour which could be linked to unlawful activities using suspicious transaction reports (STRs), and in the USA suspicious activities are formulated in a so-called suspicious activity report (SAR), which combines the suspicious transactions with personal information regarding the owner of the bank account (9). These reports can be used to “follow the money” in networks involved with ML, HT or TF (10). This review does not exclude any type of reporting, and it will be explicitly stated whether UTs, STRs or SARs are being discussed.
Aside from humanitarian reasons to combat criminal activity within financial institutions, there is a large financial benefit in fighting these crimes (7). Online financial crime is currently one of the most lucrative businesses, and only a very small percentage of perpetrators is ever prosecuted (11). Both the banking industry and policing institutions can benefit from combatting this growing issue. Reporting suspicious activity seems to be a very promising method where financial institutions function as a “gatekeeper” so to say, which also helps the judicial system to combat criminal activities, but as of now there is not a well-defined, universally implemented strategy to achieve this goal.
This research tries to set out the variety of DF methods which could be used by financial institutions when trying to combat criminal activity, and what should be taken into consideration when reporting suspicious activity in order to gain the most valuable intelligence which can be used in criminal investigations concerning ML, HT and TF. The motivation for this review is to come closer to finding a universally applicable strategy to combat ML, HT and TF. The question for this research is as follows:
“How can financial institutions use DF to analyse suspicious activity in order to combat ML, HT and TF, and how could they implement a universal strategy in order to maximize the value of their intelligence?”
To answer this research question an analysis of the available literature will be conducted, going through three subsections using relevant references which relate to the topic and research question at hand. This will review the possibilities of using DF to analyse suspicious activity within financial institutions, and it will evaluate whether financial crimes and high-impact crimes are efficiently targeted. In the end ideas on solutions will be proposed and recommendations given for future research.
5
The rest of this review is organised as follows. A presented overview is given of the studied literature in section 3. Section 4 will provide a critical discussion of the literature, including a personal perspective on the literature represented. Finally, section 5 will conclude the review and give recommendations for future research.
3. Studied Literature
In this section an overview of the studied literature is given. A search strategy describing which papers were used, how they were found, and the reasons for in- or exclusion is presented in the appendix. By dividing the papers over subsections the research question will be answered. These subsections will review the studied literature on what methods currently are proposed to analyse suspicious activity within financial institutions, how to strengthen the value of suspicious transactions within these financial institutions when used for intelligence, and which considerations need to be taken to ensure efficiency of the intelligence. Every subsection will consist of a representation of the available literature, and a short implementation of limitations or future recommendation on this literature. 3.1 Different Methods to Analyse Suspicious Activity
This section summarises papers that propose solutions or methods for the effective analysis of suspicious activity in financial institutions. This review will not go into specific research-related details, but the global method, goal and results (when obtained) of the research will be described. In the discussion, the results from these papers will be summarized and analysed on applicability within a universal framework.
FATF, 2020 (5)
In addition to the FATF Recommendations, the FATF also published a paper which described red flags that indicate whether a certain transaction or bank account might be related to ML and/or TF. The FATF states that a combination of red flags should lead to a SAR which can be combined with other intelligence, such as information regarding the owner of the bank account. After reviewing the SAR it can be sent to an FIU. A few examples of red flags are:
• High-value transactions;
• Depositing money and immediately withdrawing it;
• Regular patterns of transactions, without performing any other transactions; • Sudden activity of an inactive account;
The FATF warns that the presence of red flags is not enough basis for suspicion of a criminal activity, but it might be a reason to start monitoring and examining a bank account. Red flags might also differ between accounts due to the nature of the banking account, and the kind of business the owner of the account is in. That is why red flags should be combined with information acquired by internal policies on customers before an SAR is sent to an FIU. Financial institutions review the SAR, combined with transaction monitoring and open source investigations in order to determine whether there is indeed criminal activity in the bank account, and if a network can be found which helps finding other involved parties.
Le Khac & Kechadi, 2010 (12)
Because a lot of anti-ML strategies are found to be labour-intensive, the authors propose a data mining-based method in order to improve the efficiency of ML detection. Transactional data from financial institutions were acquired with data mining, and a variety of techniques were used to analyse the data such as using a neural network, analysing normal behaviour by clustering data, and heuristics. Different sets of parameters were tested and manipulated to acquire the analysed results. The results
6
were compared with the opinion from anti-ML experts and corresponded well. The authors concluded that their results could be used to improve the efficiency of anti-ML strategies and decrease the time needed for an investigation. However, the paper does not provide a clear, well-defined strategy to reach this goal, and the research relies on a lot of different parameters, possibly making implementation of the proposed method difficult.
Larik & Haider, 2011 (13)
Typical red flags for suspicious activity are based on the amount of a transaction, but not only can these kind of indicators result in a high amount of false positives (where a transaction is wrongfully flagged as suspicious), it is also fairly easy for perpetrators to stay under the radar in order to elude detection. Therefore, this research proposed applying a clustering method in order to analyse the normal behaviour of a bank account, and then use statistical techniques to report divergent transactions when outliers are recorded. The anomalies can be an indication of suspicious activity. The outcome of the method is a value which determines the gradation of the anomaly. A limitation of the technique is that the clustering method is an unsupervised learning technique, so the accuracy of the method is not controlled.
Liu & Zhang, 2010 (14)
Instead of relying on rule-based detection systems, this research team aimed to develop a machine learning based algorithm in order to detect suspicious financial activity which could be related to ML and by using SARs instead of large value reports enhance the efficiency of combatting ML. A method is proposed using scan statistics, which relies on clustering data in order to determine unusual datapoints. A score is given to determine the value of suspicion, and when that score transcends a determined threshold value it is labelled as suspicious. After reviewing the results, a SAR can be sent to an FIU. The authors state that the algorithm should benefit from the highest possible sensitivity and specificity, in order to reduce the amount of false positives being sent to the FIU. Another consideration of this technique is that when one uses a threshold to determine the suspicious nature of the transaction, a cliff effect is introduced which could result in false negatives, where activity that is just beneath this threshold is completely discarded and lost in the investigative process. It might also happen the other way around, where a true negative is turned into a false positive because it just exceeded the threshold.
Flores, Angelopoulou & Self, 2012 (8)
Often financial institutions have internal controls to combat criminal activity within the financial system, such as acquiring personal information on their customers and by making sure that every account is controlled by a human instead of a computer. However, these controls are often difficult to maintain, and are easily eluded by criminals. The authors propose using a combination of internal customer policies and DF techniques such as database analysis, in order to efficiently produce relevant and authentic SARs. By combining these pieces of intelligence the authors aim to link suspicious activity to individuals in order to prove whether a crime could have been committed by that individual. Database tools can enhance the value of these SARs by extracting and adding relevant evidence. The results of this investigation are not based on real data from financial institutions however, and the validity of the method is hard to verify since it is based on just one model.
Pellegrina, Di Maio, Masciandaro & Saraceno, 2020 (15)
ML is a direct threat to financial stability, and the nature of this crime makes it difficult to accurately measure the magnitude of the issue. To gain a better understanding of the efficiency of STRs in combatting ML, this research used an empirical approach to determine the effect of STRs on ML
7
activity. Using information from national police reports on ML, a set of hypotheses was evaluated to determine the effect of increasing the amount of STRs sent to the FIU. A decrease of ML-related police reports was found with an increase of STRs sent to the FIU. The results from this empirical approach were interpreted in two very divergent ways. An increase in the amount of STRs could either reduce ML-related police reports due to a decrease of ML-related activity, or an increase in the amount of STRs could result in an overflow of work, which leads to less-efficient, time-consuming investigations, and therefore less ML-related police reports are found.
Raza & Haider, 2011 (16)
A lot of suspicious activity that end up in a SAR is found using either (un)supervised machine learning or summarised customer behaviour. This paper proposes combining a dynamic Bayesian Network (BN) and a clustering method in order to enhance the efficiency of detecting suspicious activity. In order to improve the accuracy of the reporting results, a metric based on a BN is proposed to measure the value of deviation from normal behaviour of each transaction. When this value exceeds a certain threshold, it is labelled as suspicious. The results show that transactions that deviate significantly from the normal behaviour are coupled with higher scores from the metric, suggesting that the model works. When the threshold rises, the amount of suspicious transactions decreases and vice versa. A limitation of this proposed method is that using a threshold to determine whether a transaction is suspicious introduces a cliff effect and the consequences that come with it.
Khan, Larik, Rajput & Haider, 2013 (17)
As opposed to using only machine learning techniques such as clustering or classification in order to detect suspicious activity which could be the basis of a SAR, this paper proposes a hybrid model of a BN and clustering techniques in order to detect suspicious transactions. It uses a model that analyses anomalies in a sequence of transactions, unlike other strategies that are based on summaries of transactions. The authors propose using a BN to try to prevent false inclusions or exclusions. The BN computes a value which reflects the degree of anomalous activity. If this value is of significance, a red flag can be placed in order to mark the transaction as a possible suspicious one. The method was used on a real data set consisting of 8.2 million transactions. A Bayes score was generated for accounts and transactions. Before implementing this method, the BN must be evaluated on its efficiency, since the false positive rate is not yet determined.
Singh & Best, 2019 (9)
It is clear that a lot of methods are available in order to detect financial and high-impact crimes, but they all seem to have their practical limitations, or they are easily evaded by criminals. There is a need to clearly identify and visualize suspicious activity. This paper proposes a data visualization method in order to assist DF experts to clearly visualise anomalous patterns and detect possible suspicious transactions. Using visualization software the research aids investigators in seeing the transaction flow of a bank account, and they can easily see suspicious activity such as U-turn cash flows, which are a classical example of transactions in HT where the money flows bi-directionally between one and another account. The results of this paper contribute to the methodology of analysing suspicious activity in financial institutions. However, this technique is limited because the visualization can only look at transactions belonging to one bank account, and can therefore not determine the complex network that might belong to a criminal organisation. The method needs to be properly validated as well, in this paper validation was performed by reviews from organisations and experts.
8
Figure 1: This figure shows the results of the visualisation technique used by Singh & Best (9). This figure is an example of a U-turn transaction which is commonly seen in HT cases.
Paper Method Research Goal Limitations
FATF, 2020 (5) Combining red flags and customer information
Setting standards for combatting threats to the integrity of the financial system
The paper provides guidelines, but not a well-defined strategy
Le Khac & Kechadi, 2010 (12) Data mining-based approach analysed with different DF techniques Using knowledge-based data mining methods in order to enhance the efficiency of ML detecting
The results rely heavily on the parameters used, which might make the method hard to implement as an easy strategy Larik & Haider,
2011 (13) Clustering and reporting anomalies Effectively detect suspicious financial transactions
The accuracy of the proposed method is not controlled Liu & Zhang,
2010 (14) Detecting suspicious transaction sequences with clustering statistics Developing a machine learning algorithm to detect suspicious financial transaction sequences
The analysis uses a threshold to determine whether an activity should be flagged as suspicious, introducing a cliff effect
Flores,
Angelopoulou & Self, 2012 (8)
DF techniques, database analysis and internal controls
To combine DF techniques with customer information to enhance crime detection
The data used for the research does not come from financial institutions, and the analysis is based on just one model. Pellegrina, Di
Maio,
Masciandaro & Saraceno, 2020 (15)
Empirical approach Determine the efficiency of reporting STRs to FIUs
The results can be interpreted in two very divergent ways
9
Raza & Haider, 2011 (16)
Bayesian-Network approach
Using a BN approach to compute an anomaly score to improve suspicious activity reporting
The analysis uses a threshold to determine whether an activity should be flagged as suspicious, introducing a cliff effect
Khan, Larik, Rajput & Haider, 2013 (17) Bayesian-Network approach Using a BN to detect suspicious transactions
The effectiveness of the method has not been determined, because the rate of false positives is unknown. Singh & Best,
2019 (9)
Data visualization Using visualization of data to detect potentially suspicious transactions
This method is restricted to just one bank account at the time, making it difficult to follow the money and visualize the network behind the suspicious activity
Table 1: An overview of the found DF methods to analyse suspicious activities within financial institutions. The first column yields the authors of the paper, the second column describes the researched method within the paper, the third column gives a brief description of the research goal, and the fourth column shows the limitations of the research.
This subsection tried to set out an overview of some of the many strategies to analyse suspicious, possibly criminal activity within financial institutions. As is evident from the many different proposed strategies over the past decade, there is no consensus on what the best strategy is. However, all authors seem to agree on the fact that rule-based learning methods are inefficient in combatting criminal activity. The next subsection will focus on how to acquire data for intelligence in order to strengthen the value of the intelligence, independent of the data acquisition method.
3.2 Strengthening the Value of Suspicious Activities as Intelligence
Because DF is a relatively new field of expertise, the methods associated with it are not always fully developed. Methods for the acquisition and preservation of digital evidence have been proposed, but due to the quick development of DF it is often challenging to keep these standards relevant to the newest techniques (18). Another issue is the difference in legal framework regarding the use of evidence in court. In the United States, the Daubert rules are applied to determine whether evidence is forensically sound and admissible in court (2), whereas in the Netherlands no a priori admissibility test is required so that basically every piece of evidence is admissible in court and its probative value will be assessed at the end of the proceedings (19). Also, whilst the underlying concepts of DF are similar to those of traditional forensic techniques, there are a lot of fundamental differences. This section will focus on the authenticity of digital evidence and the preservation over longer time, the combination of hard data such as suspicious transactions with so-called “soft” data used by financial institutions, the privacy issues that might come with the investigation of bank accounts and the usage of DF, and what different characteristics from suspicious activities related to ML, TF and HT are. Authenticity is a key prerequisite of intelligence and evidence, because if intelligence is not authentic due to for example tampering, it can lead to time-consuming, non-efficient investigations. Similar to physical forensic traces, digital traces can be forged, planted, removed and altered (20). In order for intelligence which may constitute evidence to be authentic, it must meet certain standards. Because of the new and rapid development of DF methods, the focus has been mainly on the methods themselves, and not on issues related to the authenticity of the evidence (21). Some requirements of an authentic digital record are (22):
• A record must be stored in such a way that it will remain unaltered; • It must be possible to present the record without changing its nature;
10
• The author of the record must be identifiable;
Previous research shows that when a record is authentic, it can be deduced that the integrity of the record has not been tampered with (23). One such method is by using a cryptographic hash in order to determine the identity and integrity of a piece of data (24). However, the integrity of the record does not yet make it authentic; a forged record can have integrity, but it is not “authentic”. Therefore, the identity of a record must be determined as well before a record can be called authentic. The identity of a record can be found in metadata, such as date, author, subject etc (21).
In order for a piece of data to remain authentic over time, methods will have to be established that guarantee the authenticity over a longer period, even after the data has been removed from devices (25). With the rapid development of technology, a lot of issues were encountered when trying to look back at “old” evidence, once their methods of storage were outdated (such as floppies, or software applications that are no longer used today) (18). In order to keep a record authentic over a longer period of time the integrity and identity of the data should remain unchanged, and the data must always be extracted in such a way that it does not tamper with the authenticity (26). Then and only then can the evidential value be maximized and preserved, which is desirable when one is trying to aid a judge in court.
As a result of the growing issue of digital criminal activity through financial institutions, a lot of countries now have laws which hold financial institutions responsible for knowing who their customers are, making it illegal to have anonymous or fake accounts (6). Such policies are often called Know Your Customer (KYC) policies, or Customer Due Diligence (CDD), which can be used to monitor possible ML, HT and TF activity in bank accounts (27). For the sake of consistency, the rest of this paper will refer to KYC policies whenever referring to personal data acquired by financial institutions regarding their customers. Because KYC policies have personal information regarding the owner and address of the account, they can be combined with indications of suspicious transactions in order to enhance the detection of ML, TF and/or HT activity within financial institutions (8).
When using personal data such as information from KYC policies, it is logical that issues considering privacy arise. Banks should make sure that they have implemented proper security to protect the data from malicious users, and when they delete data they should make sure that the data is permanently deleted. It has been found that it is not always easy to delete data permanently, and that even though data might seem deleted, it can still be recovered using a variety of methods (28). Some methods have been proposed to permanently delete data, such as using random sequences to overwrite the location where data is stored, or encrypting data and removing the key with which this data is encrypted, but currently not all data experts are fully aware of these methods and the unintentional preservation of deleted data (29). A method to protect the privacy of included parties is by using a proposed secret sharing system, in which transaction details are only shared with the FIU, using encrypting security measures, to ensure confidentially of the information (30).
Dependent on whether the goal is to combat ML, HT or TF, the characteristics of suspicious activity that should be investigated might differ. ML activity is most prominent, and can also be linked to many different kind of crimes such as HT or TF (30). As the previous sections have focused mainly on ML, this section will shortly review some of the distinct features of HT and TF. Whereas in investigating ML it can be useful to look at transactions of one account, in combatting HT the use of financial investigations is found in revealing network structures, and by following the money one might gain insight on the different actors within a HT network (31). By implementing a pro-active approach towards this crime, making use of FIUs, revealing the network and “following the money” financial institutions can even help to discover unknown victims and perpetrators (32). Soft data, like information from KYC policies or the notion that money is being transferred to countries with a high
11
migrant population, can help a trained investigator to recognize signs that might indicate that there is a HT network present within these bank accounts (33). A similar tactic can be applied to track down TF, for example if a lot of financial activity of individuals or organizations allegedly related to terrorist groups is found in financial institutions (34). A way to stop the financing of these kinds of organisations is by making financing them illegal, or freezing the assets of the involved bank accounts (27).
This subsection described what financial institutions and policing institutions should take into consideration when collecting intelligence that could be used to track down perpetrators of ML, TF and/or HT. Whether this intelligence is admissible as evidence in court differs per country, but the forensic scientific community is able to have universal rules on how to make sure that intelligence and evidence is collected in such a way that the goal of forensic science is reached, which is aiming to reconstruct events to determine what happened. The next subsection focuses on how to work with the intelligence.
3.3 Efficiently Using The Intelligence
Suspicious activity analysis can be used for a variety of reasons. It can be used to indicate criminal activity and trigger a response (8), to monitor potential criminal cases and support the court with evidence for that specific case (7), and to get an overview of trends and similarities so that criminal cases of similar nature can be prevented (14). For methods to be effectively applied, the analysis efficiency should be enhanced as much as possible. This section will cover some aspects on how to improve the efficiency of working with suspicious activity as intelligence within a financial institution and what the vulnerabilities are due to the digital nature of the intelligence.
An issue in many financial organisations nowadays is the lack of trained digital personnel, the overall forensic readiness for digital threats, and the lack of a well-structured method to train personnel (35). In order for practitioners to be able to analyse and understand the data in such a way that the highest evidential value can be obtained, it is of most importance that they understand the basis of these methods (36). By making sure that organizations are sufficiently trained for digital investigations, it is possible to minimize the cost of an investigation whilst increasing the potential of the intelligence, which might constitute evidence (37). As has been seen in the reviewed literature, an overreporting of STRs might lead to an inefficient working strategy of policing institutions (15). If reporting quality can be improved, then also the amount of STRs can be diminished. Another possible obstruction for the efficiency of suspicious activity reporting is to what degree laws are complete and implemented that can aid financial institutions and local policing institutions that try to combat crimes such as ML, HT or TF (6). A similar issue is given by the authors stating that differences in national law can obstruct the cooperation between countries.
As mentioned earlier, it is possible for digital evidence to be forged, tampered and deleted just as it is with traditional evidence. Whenever someone with malicious intentions gains access to a database, that person might be able to manipulate the data and erase these traces of manipulation. β+-tree analysis is an example of a DF technique that might be able to show whether data has been tampered with, since data that is deleted is not actually deleted, and it can be recovered if it is not overwritten by another piece of data (28). Ensuring that data is permanently deleted, however, is a way to prevent malicious unintended retrieval of this data (38). Another way to check for data manipulation is by using audit trails when performing a forensic investigation, in order to visualize the steps made by the investigator and see whether any other activity, unrelated to the investigation has taken place (29). To prevent unwanted disclosure of data it is recommended to use plausible deniable encryption, which supersedes traditional encryption because when an owner of encrypted data is coerced to disclose the encryption key, (s)he can simply just give a decoy key which generates another message or result (25). Another downside of using traditional encryption in large companies such as financial institutions is
12
that there is the risk of multiple employees having access to encryption keys, which might be stored in company files, and therefore the data is more vulnerable to being exposed (29). To completely protect data from users from outside the company, it is advisable to develop software which is compatible with company data, making sure that only that specific software can read the data. However, this does make it harder to exchange data with other institutions (35).
4. Discussion
This review focuses on methods from the field of DF that financial institutions can use to combat ML, HT and TF. Only recently financial institutions are being forced by law to take action when customers show suspicious activity which might be related to criminal activity. Due to the relative new demand on financial institutions to work together with policing institutions, it is not surprising to find a diverse offer of strategies on how to do this. After going through some of the proposed methods from the scientific community, it is clear that every method has its limitations.
Rule-based detection methods are easy to implement in a searching strategy but they are not advisable, since they are not dynamic, and therefore they cannot by itself change over time to stay ahead of strategies from criminals (20). Machine learning-based methods are more adaptable to changing strategies and can therefore react to different environments. However, there are also several issues concerning machine learning systems, such as a potential lack of good training data quality (30). Machine-based learning methods need a ground truth, a reference point from which it can work to analyse a dataset, and the results from any method relies heavily on the formation of the ground truth (39). This ground truth is built using subjective human choices, so the data must be selected by properly trained experts, and the possibility of machine learning bias in the selection procedure must be considered (40). These biases can either come from the data that was used to train the algorithm, or it can originate from within the algorithm (41).
It is important for employees from financial institutions to be aware of the potential harmful consequences of bias, since the proposed methods might be used to make decisions which affect the lives of other people. There are many different forms of bias that can affect the decisions of experts, and therefore their algorithms (42). Once biased, an algorithm might be prejudiced towards an individual, or certain groups. Therefore, it is important to determine what kind of dataset is a fair representation of the population. By giving a definition to fairness of data, it is possible to generate a framework that works with unbiased data. Such fairness can be created by e.g. random sampling, balancing data over representative groups or selecting relevant features of data (41). It is important to make sure that the training set for an algorithm consists of balanced data, which is randomly sampled from a set representative to the relevant population (39). This is part of the pre-processing of the data, and can be done by experts.
Within the reviewed machine-based learning methods the most applied technique is a cluster based method, which tries to determine the normal behaviour of a customer, and then reports outliers as being anomalous and possibly suspicious. To determine whether a transaction can be labelled as suspicious, a threshold can be determined. A limitation of using a threshold is that it introduces a cliff effect, where a certain transactions can stay just under the radar, and therefore it is possible that criminal activity is lost within the analysis because it didn’t pass the threshold. Since clustering is an unsupervised algorithm, the results from the algorithm should always be confirmed by human expertise, and the risk of bias should be monitored as well (43). This can be done by regularly updating the training set, to make sure that the data used by the algorithm remains balanced and fair, and also by overseeing and thoroughly analysing the results from the method.
13
The cliff effect can be minimalized by using a Bayesian Network, which is also proposed by some previous research. By combining the clustering technique with a BN, and reporting an anomality score it is possible to prevent losing useful information. However, the reviewed articles still propose using a threshold when applying a Bayesian approach. Instead of using a strict threshold, it is recommended to report the numerical anomality score with a verbal equivalent, which can then be evaluated by experts before it is send to the FIU. Using some sort of threshold is inevitable, because analysing all transactions is definitely not efficient, but by letting go of a strict threshold it is possible to avoid loss of information. In addition to using a combination of a clustering method and a Bayesian assessment to analyse whether a transaction can be suspicious, a data visualization method is proposed in order to visualise the network of a bank account which might provide a useful tool to actually follow the money after more research on the method has been performed.
To combat criminal activities holistically financial institutions need to have a pro-active attitude towards these crimes (7). Pro-active methods are part of the intelligence phase of an investigation, as opposed to other methods which are part of the criminal investigation phase, occurring when a crime has already been allegedly committed (44). It makes sense to have a pro-active approach towards crimes like ML, HT, and TF, which happen for a large part within the shadows and are therefore not easily recognized. By combining “hard” financial evidence with “soft” evidence such as KYC policies, a pro-active approach towards criminal activity can be accomplished (7). An ethical issue that might arise in reporting suspicious activity in combination with KYC information is that contextual information can result in a bias in how experts report. Intelligence experts have made mistakes in evaluations and judgements because of raised suspicion due to the Muslim background of suspects (45). It is not difficult to see how this could be an issue in combatting crimes such as TF when using KYC information. Therefore, experts at financial institutions should be educated on the risk of these biases as well. Once a method has been determined to collect the data, it is important that the data is acquired consistently and with considerations concerning the maximization of the value of the intelligence in an investigation, and in a later stage also the value of the evidence in court. A very important aspect of this consistency is that clear methods should determine the identity, authenticity and integrity of a piece of data when it is used as both intelligence and evidence. Although a certain set of standards have been provided by the scientific and legal community, the rapid development of the digital environment makes it apparent that these standards needs constant and thorough revision. When employees from financial institutions gather intelligence, they should also be made aware of these standards.
Because by law financial institutions often have to keep records of their customers, a very promising strategy can be implemented where results from suspicious activity analysis is combined with KYC policies. This is already the norm in some countries, such as the USA and China, where financial institution report SARs to FIUs which include both notifications of suspicious transactions and KYC information (9). The information from KYC policies can be a valuable addition to the information that an FIU needs in order to determine whether there is enough information to refer the transaction to law enforcement. In China data shows that 90% of solved ML cases were performed with SARs, and only 10% were solved using large value reports (14). Whenever dealing with personal information it is very important that the data is secured and protected from malicious users. Financial institutions should implement security measurements and educate their employees on how to work with these measurements in order to ensure that privacy is protected.
Another consideration is the type of crime that is at hand. Financial institutions should consider having different departments for crimes such as HT and TF, since these crimes have different characteristics. Overarching for both these crimes and a multitude of other crimes is ML, but HT and TF have their own
14
more distinct features, and different information might be useful as intelligence. In HT and TF it can be very useful to find the underlying network of involved accounts, and the nature or geographical location of an organization can give information on whether it is more likely that there is HT or TF activity in a bank account. That is also why, when setting up departments as gatekeepers for different types of crimes, it will be more useful to generate SARs instead of UTs or STRs.
After data has been acquired, it is important that the data is efficiently used as intelligence. A big aspect of interpreting data is subjective. Therefore it is necessary that financial institutions implement a proper educational track for employees in order to get accustomed to the method used to acquire the intelligence, but also on how to read the data and work with it. Nowadays there is a lack of trained digital personnel and financial institutions do not seem to have a forensic readiness for digital threats (35). Therefore, it is proposed to implement a strategy that has a clear structure, and could be implemented universally (if national laws allow this). Whenever a method has many parameters that influence the results in a way that is not yet fully understood, implementing that method might backfire and lead to less efficient investigations. The notion that national laws have an influence on how to implement a strategy is an important one because it makes it very difficult to apply a strategy on a universal scale, but finding a solution for that problem falls outside of the scope of this review. When preserving data, it is important that methods are applied to protect and secure the integrity and authenticity of the data. This ensures that data is not lost as intelligence in an investigation, and it also maximizes the evidential value if the intelligence constitutes evidence in a court. Methods have been proposed to ensure that unwanted usage of digital data by third parties can be prevented. Financial institutions should implement these security strategies within their workflow, and to make sure that this workflow is followed an audit trail can record all steps that have been undertaken in any handling of the data. When institutions decide to develop internally used software to make sure that data can only be read with that specific software, they should consider other methods to make sure that they can still exchange their data if they wish to do so (35).
5. Conclusion and Future Recommendations
This review tried to give an overview of how financial institutions nowadays report suspicious activity in order to combat ML, HT and TF, and it tried to evaluate how they could implement a universal strategy in order to maximize the value of their intelligence which they use for their role as a gatekeeper for criminal activity within their institution. The reviewed methodologies from the DF field, with considerations concerning the maximization of the efficiency of the acquired intelligence and considerations concerning the efficient handling of this intelligence, has led to the discussion presented in section 4. From this discussion the author draws the conclusion that the most effective method to combat ML, HT and TF activity would be to use a machine-based clustering method to analyse normal behaviour, use a Bayesian paradigm in order to measure anomaly scores for outliers and a verbal equivalence to report this score of anomaly. A visualization technique could then be used in order to visualize the network of transactions linked to a bank account. By using a combination of a clustering method and a Bayesian paradigm, it is expected that the amount of true positives will be maximized without the risk of overreporting, which will lead to efficient investigations. Experts from financial institutions should think hard on selecting appropriate training data for the clustering method, and regularly review the outcome from the algorithm, to determine whether bias has arose. Because the clustering method is an unsupervised method, the algorithm should be monitored closely by human experts to ensure that the algorithm remains fair, and does not treat certain groups or individuals in a prejudiced way.
To maximize the value of this data as intelligence, it is proposed that financial institutions generate SARs where hard transaction data is combined with soft data from KYC policies. These reports can be
15
send to FIUs, which can use them for their own investigations. In order for this to be universally applied, it is necessary that a clear, well-defined methodology is constructed by DF experts and experts in the field of ML, HT and TF. Because training personnel is an important aspect of the implementation of any method, the method should be documented in an orderly manner such that it can be used for educational purposes in various countries and institutions. An obligated implementation of SARs within financial institutions is difficult, because not all national laws require this. However, research indicates that using SARs is more efficient than reporting UTs or STRs, so financial institutions are recommended to consider using SARs in order to maximize their role as gatekeeper, and have a pro-active attitude to make sure that financial and high-impact crimes like ML, HT and TF are approached on a holistic scale. 6. Acknowledgements
The author would like to thank Jill Coster van Voorhout and Zeno Geradts for their support and input throughout this research, and by showing their genuine enthusiasm on the subject and project. Their passion and knowledge on the subject has been a great inspiration.
7. References
1. Zhang J, Wang L. Application of case-oriented evidence mining in forensic computing. 1st Int Conf Multimed Inf Netw Secur MINES 2009. 2009;1:103–6.
2. Indrajit R, Shenoi S. Advances in Digital Forensics IV. Vol. 4, Springer. 2008: Chapter 1 3. Overill R, Kwan M, Chow KP, Lai P, Law F. A cost-effective model for digital forensic
investigations. IFIP Adv Inf Commun Technol. 2009;306:231–40.
4. Saini H, Rao YS, Panda TC. Cyber-Crimes and their Impacts : A Review. Int J Eng Res Appl. 2012;2:202–9.
5. FATF. Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing. 2020. Available from: http://www.fatf-gafi.org/media/fatf/documents/recommendations/Virtual-Assets-Red-Flag-Indicators.pdf
6. FATF. The FATF Recommendations: International Standards on Combating Money Laundering
and the Financing of Terrorism & Proliferation. 2019:3–132.
7. Coster Van Voorhout JEB. Combatting Human Trafficking Holistically through Proactive
Financial Investigations. J Int Crim Justice. 2020;18(1):87–106.
8. Flores DA, Angelopoulou O, Self RJ. Combining digital forensic practices and database analysis
as an anti-money laundering strategy for financial institutions. Proc - 3rd Int Conf Emerg Intell
Data Web Technol EIDWT. 2012:218–24.
9. Singh K, Best P. Anti-Money Laundering: Using data visualization to identify suspicious activity. Int J Account Inf Syst. 2019;34.
10. OSCE. Following the Money: Compendium of Resources and Step-by-step Guide to Financial
Investigations Into Trafficking in Human Beings. Artnews Organization for Security and
Co-operation in Europe. 2019.
11. Hayble-Gomes E. The Economic Impact of Deficient Anti-Money Laundering Program to a
Multinational Bank. 2016.
12. Le Khac NA, Kechadi MT. Application of data mining for anti-money laundering detection: A
case study. Proc - IEEE Int Conf Data Mining, ICDM. 2010;577–84.
16
2011;3:606–10.
14. Liu X, Zhang P. A scan statistics based suspicious transactions detection model for Anti-Money
Laundering (AML) in financial institutions. Proc - 2010 Int Conf Multimed Commun Mediacom.
2010;210–3.
15. Dalla Pellegrina L, Di Maio G, Masciandaro D, Saraceno M. Organized crime, suspicious
transaction reporting and anti-money laundering regulation. 2020;1–15.
16. Raza S, Haider S. Suspicious activity reporting using Dynamic Bayesian Networks. Procedia Comput Sci. 2011;3:987–91.
17. Khan NS, Larik AS, Rajput Q, Haider S. A bayesian approach for suspicious financial activity
reporting. Int J Comput Appl. 2013;35(4):181–7.
18. Jansen A. Digital records forensics: Ensuring authenticity and trustworthiness of evidence over
time. 5th Int Work Syst Approaches to Digit Forensic Eng SADFE. 2010;84–8.
19. Dutch Criminal Procedure Code, article 338.
20. Cohen F. Two models of digital forensic examination. 4th Int Work Syst Approaches to Digit Forensic Eng SADFE. 2009;42–53.
21. Duranti L, Jansen A. Authenticity of Digital Records: An Archival Diplomatics Framework for
Digital Forensics. Univ Br Columbia. 2013;53(9):1689–99.
22. Focus Task Force, “Appendix 07: Diplomatic Analysis Template,” [electronic version] in
International Research on Permanent Authentic Records in Electronic Systems (InterPARES) 2: Experiential, Interactive and Dynamic Records, Luciana Duranti and Randy Preston, eds.
(Padova, Italy: Associazione Nazionale Archivistica Italiana, 2008).
<http://www.interpares.org/display_file.cfm?doc=ip2_book_appe ndix_07.pdf>.
23. MacNeil H. Contemporary archival diplomatics as a method of inquiry: Lessons learned from
two research projects. Arch Sci. 2004;4(3–4):199–232.
24. K. Sindhu K, B. Meshram B. Digital Forensics and Cyber Crime Datamining. Journal of Information Security. 2012;3: 196–201.
25. Zhang Q, Jia S, Chang B, Chen B. Ensuring data confidentiality via plausibly deniable encryption
and secure deletion – a survey. Cybersecurity. 2018;1:1–20.
26. Grobler CP, Louwrens CP, Von Solms SH. A framework to guide the implementation of
proactive digital forensics in organizations. ARES 2010 - 5th Int Conf Availability, Reliab Secur.
2010;677–82.
27. FATF. FATF Special Recommendations on Terrorist Financing. 2006;131–45.
28. Kieseberg P, Schrittwieser S, Mulazzani M, Huber M, Weippl E. Trees cannot lie: Using data
structures for forensics purposes. Proc - 2011 Eur Intell Secur Informatics Conf EISIC.
2011;282–5.
29. Stahlberg P, Miklau G, Levine BN. Threats to privacy in the forensic analysis of database
systems. Proc ACM SIGMOD Int Conf Manag Data. 2007;91–102.
30. Zand A, Orwell J, Pfluegel E. A Secure Framework for Anti-Money-Laundering using Machine
Learning and Secret Sharing. Int Conf Cyber Secur Prot Digit Serv Cyber Secur. 2020.
31. Shentov O, Rusev A, Antonopolous G. Financing of Organised Crime: Human Trafficking in
17
32. ALEFA. Trafficking in Human Beings (THB) Financial Investigation Handbook. 2018; Available from: http://www.eskom.co.za/CustomerCare/TariffsAndCharges/Documents/RSA
Distribution Tariff Code Vers 6.pdf%0Ahttp://www.nersa.org.za/
33. Financial Crimes Enforcement Network. Guidance on Recognizing Activity that May be
Associated with Human Smuggling and Human Trafficking – Financial Red Flags. 2014;
34. FATF. Terrorist Financing Risk Assessment Guidance. 2019;1–62. Available from: www.fatf-gafi.org
35. Elyas M, Ahmad A, Maynard SB, Lonie A. Digital forensic readiness: Expert perspectives on a
theoretical framework. Comput Secur [Internet]. 2015;52:70–89. Available from:
http://dx.doi.org/10.1016/j.cose.2015.04.003
36. Frühwirt P, Huber M, Mulazzani M, Weippl ER. InnoDB database forensics. Proc - Int Conf Adv Inf Netw Appl AINA. 2010;386:1028–36.
37. Cohen MI, Bilby D, Caronni G. Distributed forensics and incident response in the enterprise. Digit Investig [Internet]. 2011;8(SUPPL.):S101–10. Available from:
http://dx.doi.org/10.1016/j.diin.2011.05.012
38. Jones JH, Khan TM. A method and implementation for the empirical study of deleted file
persistence in digital devices and media. 2017 IEEE 7th Annu Comput Commun Work Conf
CCWC. 2017;0–6.
39. Batista G, Prati R, Monard MC. A study of the Behavior of Several Methods for Balancing
Machine Learning Training Data. Soz Syst. 2004;6(1):20–9.
40. Zadrozny B. Learning and evaluating classifiers under sample selection bias. Proceedings, Twenty-First Int Conf Mach Learn ICML. 2004:903–10.
41. Mehrabi N, Morstatter F, Saxena N, Lerman K, Galstyan A. A survey on bias and fairness in
machine learning. arXiv. 2019;
42. Tsuchiya M. Performance impact caused by hidden bias of training data for recognizing textual
entailment. In: LREC 2018 - 11th International Conference on Language Resources and
Evaluation. 2018: 1506–11.
43. Chen X, Fain B, Lyu L, Munagala K. Proportionally Fair Clustering. Dep Comput Sci Duke Univ. 2019;1–18.
44. RUSI. Leaning In: Advancing the Role of Finance Against Modern Slavery. 2018.
45. Dror IE, Charlton D, Péron AE. Contextual information renders experts vulnerable to making
erroneous identifications. Forensic Sci Int. 2006;156(1):74–8.
8. Appendix: 8.1 Search strategy
A search strategy is a fundamental part of a literature review, because it allows for peer-reviewing and reproducing a similar research for validation. This review was constructed by using a set of three core articles, from which relevant references were implemented in the review as well. Also other relevant articles citing those core articles were searched for in an online database. Besides from the articles related to these core articles, search criteria were used to search for more papers in an online database. The search method will be described in this section.
18
8.1.1 Core Articles
The three core articles that were used first to find the bulk of articles are:
• Liu X, Zhang P. A scan statistics based suspicious transactions detection model for Anti-Money
Laundering (AML) in financial institutions (14)
• Flores DA, Angelopoulou O, Self RJ. Combining digital forensic practices and database analysis
as an anti-money laundering strategy for financial institutions (8)
• Coster Van Voorhout JEB. Combatting Human Trafficking Holistically through Proactive
Financial Investigations (7)
References in these articles with titles, keywords or abstracts that included terms related to the research question of this review were searched on the GOOGLE SCHOLAR database. The same database was also used to look for articles that cited those core articles, and any articles with titles, keywords or abstracts that included terms related to the research question of this review were also looked at.
8.1.2 Search Terms
To search for more papers when references were needed, the search engine of the GOOGLE SCHOLAR database was used. Search terms were used to find paper titles, keywords and abstracts that could be related to the review at hand. The following strategy was applied to find relevant papers:
• Reading the abstract of hits that contained terms related to the review; • Using keywords from the review to find related items;
• Using terms that were related to the concept in need of a reference;
• Using logical operators such as “AND” and “OR” to maximize searching efficiency; • Using synonyms of search terms if desired results were not acquired;
8.1.3 Inclusion and Exclusion Criteria
After selecting articles by using the described search strategy, papers were read and analysed on whether they were useful for the review at hand. To do this, inclusion and exclusion criteria were used to determine whether papers were used as references. The following inclusion criteria were applied:
• Papers related to general digital forensic practices that could be used to analyse suspicious transactions within financial institutions;
• Papers related to analysing ML, HT and/or TF activity within financial institutions using DF methods and/or KYC policies;
• Papers related to the handling and processing of intelligence within a scientific and/or legal framework;
The following exclusion criteria were applied:
• Papers unrelated to the research question of the review at hand, or not meeting the inclusion criteria;
• Using multiple papers to reference to similar concepts, preventing unnecessary referencing which might lead to a large, unclear reference list;
• Non-scientific or non-official documents; 8.2 Abbreviations
• Bayesian Network (BN) • Customer Due Diligence (CDD)
19
• Digital Forensics (DF) • Human Trafficking (HT)
• Financial Action Task Force (FATF) • Financial Intelligence Unit (FIU) • Know Your Customer (KYC) • Money Laundering (ML)
• Suspicious Activity Report (SAR) • Suspicious Transaction Report (STR) • Terrorism Financing (TF)
