This post is part of our occasional series on AML program fundamentals which focuses on refreshing foundational knowledge for experienced members of the AML community and providing an introduction to key topics for those new to the subject.
Every financial services company monitors its customers’ transactions to identify suspicious activity. Initial identification of such activity is just the beginning; between a surveillance system alert and a decision about whether to report the activity is a critical piece, the investigation. An investigation is a formal or systematic research or inquiry.
The purpose is identifying the facts to answer the question: what is going on? To answer this question, you need to gather information and work to determine if the picture it paints makes sense. Let’s start with a few basic things you need to understand – who is the customer and what is the activity you expect from that customer. This know your customer information should be gathered through your customer identification program (CIP), customer due diligence (CDD) process, and ongoing monitoring activity. The profile created through these activities forms the baseline of expected activity.
When a transaction or group of transactions triggers an alert from your transaction monitoring system or an alert is raised by a staff member, the question arises again – is this activity you would expect from this customer. If the answer is yes, then you may be able to close the alert without any further investigation. If the answer is no, you need to gather additional information to figure out what is going on.
FIs have large amounts of information about their customers; for investigative purposes, the key information is records of the transactions through the customer’s accounts and the in-person knowledge your branch and loan personnel may have from interactions with the customer. You also have publically available information through free and paid data-bases and news sources. Examining the data from all these sources in the context of what you expect from the customer will often lead you to understand what is going on.
One way to dig into the information about your customer and the transaction(s) triggering an alert, is to break down the inflows and outflows through their accounts. In looking at inflows, you want to determine whether the sources and volumes align with expectations. Is the customer receiving revenue from sources unrelated to its business – (e.g. inbound wire transfers from out of area senders that do not appear connected to the business)? Is the volume of deposits larger than expected for the size of the business? Are the deposits more consistent than are supported by the regular cycles of the business (e.g. a bar having the same level of deposits every day, when it is quiet at the start of the week and very busy on the weekend)?
The same types of questions arise when looking at outflows. Are payments for payroll consistent with the size of the business? Do disbursements to vendors and suppliers make sense based on the size and reach of the business (e.g. is a single location local business sending wire transfers to a supplier in a foreign country that sells items not used or sold by the business)? Does the business send money to high risk jurisdictions with no apparent connection to its purpose?
Remember, an investigation tries to answer the question what is going on. Let’s look at few basic examples.
For this type of business, you would expect the inflows to be credit and debit card payments and cash deposits. You would expect the outflows to be facilities expenses, payroll, supplies and utilities. If you saw wire transfers in or out, large cash payments out for non-core expenses or level cash deposits regardless of the weather (in the northern states, carwashes are open many fewer days in the winter), these activities would be unexpected and require further exploration and may trigger reporting.
For this type of customer, you would expect the inflows to be checks, wires or other electronic transfers from parents, possibly a deposit from the university from student aid or a scholarship, and deposits from a part-time job. You would expect the outflows to be debit card payments or withdrawals for food, gasoline, books, bars, clothing, and airline, train or bus tickets. If you saw outgoing wire transfers, significant cash deposits, or ongoing deposits when school is out of session, these activities would be unexpected and require further exploration and may trigger reporting.
Single Location Small Grocery Store
For this type of business, you would expect the inflows to be credit and debit card payments, checks and cash deposits. You would expect the outflows to be facilities expenses, payroll, suppliers (many either local or large national food service purveyors), and utilities. As with the carwash, if you saw wire transfers in or out or large cash payments out for non-core expenses, these activities would be unexpected and require further inquiry to determine whether the transactions are reportable.
The fundamental purpose of investigations is to answer the question what is going on. Gathering information, organizing it to make what it is showing clear, and putting that picture into the context of the customer, will support your decision that:
- The transactions are expected and not suspicious
- The purpose of the transactions is still unclear and you need to continue to investigate, or
- The transactions are sufficiently suspicious to trigger reporting.