Introduction

At the height of the Roman Empire, 250,000 miles of road connected two million square miles of land. The connectivity spurred innovation to levels never witnessed before in history. The network of roads made it possible for engineers to be deployed across the empire to transform rural landscapes into new cities and towns; it also made it possible to recruit and deploy more than 450,000 soldiers across the empire.¹

However, over the centuries, the same innovation and technology that led to the rise of the Roman Empire contributed to its downfall. Increased trade turned relatively low-threat barbarian tribes into wealthier existential threats to Rome, as they were now equipped with modern weaponry and improved agricultural tools. Simultaneously, the sheer size of the empire gave way to the formation of dozens of smaller provinces. By 476 C.E., the now-sophisticated tribes completely outmatched the disparate and less-coordinated provinces—leading to the sacking of Rome and the toppling of one of the greatest empires in history.

Today, akin to the early road design and construction of Rome, Fourth Industrial Revolution (4IR) technologies like the Internet of Things (IoT) and cloud computing connect us in ways we had never imagined. This has led to an unprecedented level of business innovation and advanced technical solutions while also creating a converging landscape of cyber, financial crime, and money laundering risks.² These blurred lines have, in turn, given birth to new and more innovative forms of financial crime—forms that are sophisticated in their approach and agnostic to industry and geography.

Traditionally, these threats manifested in the financial sphere, but they’re now surfacing in other industries as well. From our homes to our workplaces to our cars and airports, our collective connectivity increases the digital attack surface for cyber, with potential threats cutting across smart factories, health care institutions, and even home appliances.³ Further, a new digital underground society of cybercriminals has emerged, seeking to exploit any vulnerability they can find in our digital platforms and the myriad connection points generated by the proliferation of IoT technologies, making it easier to monetize system attacks and steal data on an industrial scale. These new-age fraudsters can operationalize global campaigns to misappropriate funds and their fellow launderers can adopt modern digital technologies—like blockchain—to anonymously operate across borders (see sidebar, “The changing face of financial crime”).

But there is good news: The same technologies that are responsible for creating the present-day digital criminal ecosystem can be harnessed to detect and, in many cases, prevent these crimes before they occur. In this article, we explore how companies can elevate and intensify the fight against financial crime beyond the level of battling criminals by taking the following steps:

• Developing cross-organization goals: Financial crime has become too big an issue for any one organizational team to solve. It’s also difficult to get a sense of where to start. Organizations should have a coordinated strategy to share information, data, and technologies in unison. This often requires integrating—and interrogating—data sets across cyber, fraud, and anti–money laundering (AML) teams. Without this, organizational resources can become locked into a repetitive tactical fight where each problem is battled in isolation, in the absence of a complete picture of the overall damage incurred.
• Creating global partnerships: Financial crime is occurring on a global scale. A hospital’s patient data can be compromised in one country and sold on the dark Web to criminal gangs in another country for identity theft and fraud. As such, it is important for organizations to cultivate visibility across the globe through internal and external collaboration and information-sharing partnerships. Concurrently, they must navigate each jurisdiction’s local regulations related to financial crime and data privacy.
• Elevating the solution set: This, perhaps, is the first and last mile of combating financial crime. Companies can leverage the power of threat intelligence, data science–driven advanced analytics, and machine learning techniques to detect and prevent criminal activities in a more precise and timely manner.

Connected technology: All roads lead to Rome

Financial crime aided by technology is a multifaceted and far-reaching problem impacting nearly every organization. Paradoxically, in the face of greater worldwide connectivity, organizational structures can’t always keep pace with the speed of technological change. While criminals are indifferent to corporate structures, many organizations still have dedicated, standalone teams to combat and detect cyberattacks and financial crime. These teams often operate in silos, similar to the Roman provinces fighting off each new threat in isolation. But, unlike the fall of the Roman Empire, which spanned centuries, threats to even the largest multinational business can be manifest in seconds.

As a result, companies in most industries, as well as their risk management teams and systems intended to combat financial crime, are facing unprecedented strain. The cost of fraud and cyberattacks is estimated to exceed US$3 trillion across the globe annually.¹¹ Yet, most risk monitoring systems yield unproductive and inefficient investigatory work to ensure that compliance regimes are met at the base level, rather than effectively identifying suspicious activity with high levels of confidence.

Navigate the Web of crime: Define specific goals

Thankfully, organizations today have access to a wealth of data, tools, and modeling techniques they can use to combat even the most sophisticated crimes. However, the options and approaches to tackling these crimes can be overwhelming, and the regulatory climate doesn’t always keep up with the capabilities deployed by bad actors. Most organizations are just trying to keep pace with compliance requirements rather than matching criminal adversaries in their approach. This often leads to rigid and more easily circumvented rule sets to detect financial crime—for example, rules relating to exceeding predetermined spending limits. Further, insider threats can relay even the most complex rule sets to those looking to maneuver around them.

In an era of 4IR technologies and AI, the natural response is to replace monitoring rule sets with more advanced analytical techniques, such as using machine learning to more accurately detect cases of fraud. While these techniques may be more effective, it’s no small feat to overhaul years, even decades, of old infrastructure and corporate practices with new risk management structures and methodologies. There are two primary reasons for this:

• First, it requires companies to move out of their comfort zones. This entails high-level leadership coordination and a willingness to procure or share data with others, both of which can necessitate navigating corporate politics and long-standing corporate policies.
• Second, the overwhelming number of tools, modeling techniques, and data sources available cultivate a rather complex environment to both choose from and implement. Therefore, determining the right approach for your organization is not always a straightforward endeavor.

The best way to make these formidable issues more manageable could be to articulate more specific goals while combating financial crime. By going deeper than a “stop all cases of fraud” goal, organizations can get a better sense of the data required, people with whom to coordinate, and the most effective analytical approaches to address the issue. There are four areas in which organizations can define more manageable goals with a view to protect themselves from various forms of financial crime. They are:

• Fidelity—reducing false positives: Rule–based solutions often lead to false positives (that is, incorrectly alerting teams to possible improper behavior). These false positives can lead to investigators unnecessarily spending significant hours researching cases that more sophisticated approaches would have never identified in the first place. So, reducing false positives would save a lot of time that can be directed toward fighting and detecting real frauds and money laundering.
• Efficiency—rapidly identifying illegitimate activity: When a malicious person or bot gains access to customer credentials, the behavior pattern would inevitably change to produce anomalies. For example, machine learning techniques can use granular data (such as typing speed) to quickly alert monitoring teams of improper logins to bank accounts.
• Coverage—expanding the scope of protection: The connected nature of technology has increased the threat landscape. As such, it’s important for organizations to inventory all potential areas exposed to possible attacks. This means understanding business value chains, the supporting systems, processes, and resources, and then assessing how critical each threat is to the overall health of the business.¹²
• Prediction—telegraphing the criminal element: Proactive attack prevention is made possible through predictive analytics techniques. For instance, threat modeling and scenario analysis provide a line of sight into an organization’s attack surface, which in turn can help teams preemptively address high-risk areas for financial crime.

Starting with the board and top management teams, these key action areas should be agreed upon, communicated, and prioritized across the organization. Specific goals can become a rallying cry for gaining internal and external support, providing direction on how to improve processes (regardless of organizational silos), and determining the best tools and analytical techniques to address the issue. As an example, if the goal is to rapidly identify anomalies, the cyber, fraud, and AML departments can work together to build a single database across the organization that identifies bad actors, rather than have each group figure this out in isolation—and after several attacks on the company.

Sharply defined goals help companies to react in a more agile manner. In a recent panel discussion for Risk.net, executives discussed the need to simplify the objectives to defend against financial crime in a more agile manner. Specifically, it requires ensuring that cybersecurity, application security, fraud, and data scientists are working collaboratively to consolidate data sources in order to gain an enterprise-wide view of vulnerabilities and opportunities to share knowledge in the fight against financial crime.¹³

Get by with some help from friends: Forge partnerships

As financial criminals function in ecosystems, so too should the institutions tasked with defending against them. Businesses and law enforcement can work in tandem to thwart these criminal ecosystems through fast and effective sharing of information on bad actors, knowledge related to new criminal schemes, and intelligence on best practices for prevention and detection of financial crime. To do so effectively, organizations should consider a two-fold approach: Elevate the importance of procuring third-party data and participate in public-private partnerships (PPP) to share information and best practices.

Create third-party data partnerships

Sharing data outside the organization is not a new concept—retailers and suppliers have been doing it for decades. However, the level of granularity, sensitivity of information, and sheer volume of data required to combat financial crime is compelling many organizations to look outside their own four walls. When multiple institutions artfully combine their data, they can piece together a mosaic of criminal activity that none can discern in isolation, thus creating actionable insights in aggregate.

Banks are some of the earliest adopters of third-party data-sharing and have been safely and appropriately exchanging data with external parties for decades. Many banks understand that one of the best ways of defending against financial crime is by proactively building “herd immunity.” This entails sharing intel to collectively learn from one another and preemptively put measures in place to prevent or minimize future crimes.

This is manifesting in the financial services industry through third-party platforms, which provide cloud-based communities for standardizing and sharing information across vendors.¹⁴ Perhaps more promisingly, recent innovations like homomorphic encryption and multiparty computation enable organizations to compare data sets and perform complex analytical routines against an aggregated data set.¹⁵ By doing so, they can collectively extricate insights from patterns of malicious behavior that indicate criminal activity—with a higher rate of fidelity than previously possible.

For example, consider IP addresses with a troubled history. Companies can contribute and upload “bad” device data on a shared database and use it as a data modeling attribute. These data sources can help companies uncover IPs that either have a direct malicious history (sending spam emails, account takeovers, and malware data) or are in a nexus with IPs that do.¹⁶

Enter into and participate in PPPS

Many government agencies around the world are working to combat various types of financial crime but they can be significantly more effective if they collaborate more with the private sector—and vice versa. These PPPs can provide law enforcement with quick access to intelligence related to relevant case work and inform organizations of the most current status of the threat landscape.¹⁷ Further, they can create a safe environment for both groups to share information and data.

Such partnerships seem to be growing across the world. One notable example is the United Kingdom’s Joint Money Laundering Intelligence Taskforce (JMLIT). This group consists of more than 20 large banks, the National Crime Agency (NCA), the Home Office, and the Financial Conduct Authority (apart from a number of other agencies). Together, they can tackle cases of financial crime, such as human trafficking, and share information and data to better understand patterns of criminal behavior and the identities of potential bad actors. By working directly with banks, government agencies can share “red flag” activities that indicate trafficking behavior, such as payments made to cover multiple individuals’ travel expenses from a country the financer has never personally visited.

Such PPPs don’t have to be limited to financial institutions. Retailers, for instance, are frequent targets of criminals looking to steal consumers’ bank details. Retailers can provide insights on suspicious transactions and use of online resources to authorities and financial institutions. Similarly, automotive dealers or high-end consumer credit brokers can share consumer spend information to help alert the authorities and banks of potential money laundering.

Where we’re going, we don’t need roads

The same sophisticated tools, technologies, and techniques that make financial criminals formidable adversaries for organizations can be repositioned to fight crime. But companies first need to ensure that the basics are in place—that is, they have defined specific and concise goals, are working collaboratively across silos, and sharing relevant data and information safely with external parties. These foundational practices can put organizations in prime position to explore the full potential of 4IR technologies in combating financial crime.

With 4IR technologies, data can be organized, shared, and analyzed in the cloud more easily. Specifically, organizations can fuse data across cyber, fraud, and anti–money laundering functions into a single data set—and interrogate the information through more sophisticated means than traditional rule sets. By combining this data with AI and predictive analytics, organizations can safeguard highly targeted information and alert teams to high-risk scenarios through the following data capture and analysis methods:

• Digital entity fingerprinting: Organizations can conduct validation tests to detect suspicious activity. This includes assessing if the device is foreign to the expected user, determining if the access location strays from routine behavior, or alerting the business that the IP address has a bad actor reputation. For example, if a transaction to transfer corporate funds to a new and suspicious account originates from an unfamiliar broadband router—and the physical location originates from an unexpected region—then it’s most likely a suspicious user.
• Session monitoring: Session logs are rich in user behavior. Analyzing a user’s behavior and journey during an authenticated session in application logs can help determine whether a human is in control or if there’s bot activity going on.
• Behavioral biometrics analytics: This utilizes passive biometrics such as typing speed, cursor movement, and reaction times to authenticate the user.

Each of the methods mentioned above employs a structured modeling technique to identify criminal behavior. That is, a human informs the model what good-versus-bad behavior looks like. Other techniques such as machine learning can elevate these approaches to a new level of sophistication—and analyze the digital entity's fingerprinting, session monitoring, and behavioral biometrics data in concert. Machine learning is an iterative process that employs a variety of complex algorithms to analyze data patterns; further, it typically adjusts its predictions based on new data and information that enters into the system.

With unsupervised modeling (that is, modeling techniques that draw conclusions without human intervention), machine learning can identify unique groups of behavior that may indicate some form of financial crime. These same groups can then be entered into more structured machine learning approaches to score and assess the likelihood of improper behavior. For instance, various platforms are coming to market that employ machine learning to analyze transactions from a consortium of thousands of e-commerce websites to defend against online fraud and abuse.¹⁸ Each time a potential fraudster initiates an activity on one of their partnering websites, a fraud score is updated and shared across the consortium.

Encouragingly, these techniques are growing in popularity. One study suggests that by 2021, 72 percent of organizations will employ automated monitoring and anomaly detection, and 50 percent will rely on predictive analytics and advanced modeling techniques to combat financial crime.¹⁹ As more and more organizations adopt advanced technologies to combat crime, the pressure is expected to mount on those still relying on outdated crime monitoring systems to change as they will likely become relatively easier targets for cybercriminals.

Defending your empire

Whether you operate in the financial industry or not, increased digital connectivity is making combating financial crime a universal problem. To forge your own organizational path to defend against bad actors, your leadership team should consider implementing the following advice:

Rome wasn’t built in a day. An organization has a considerable number of moving parts across governance, culture, people, process, technology, and data. However, it isn’t necessary to accomplish everything in a single seismic shift. Starting with specific goals, consider seeking opportunities for internal fusion at a smaller scale. Within your organization, that could mean looking to areas where skill sets, core processes, enabling technologies, and mutual data synergies exist. Increasingly, cyber offers opportunities to connect with physical security and fraud departments. Bringing these teams together, even just through closer collaboration, can help improve their respective effectiveness and operational efficiencies.

Know thyself. It is a strategic imperative to build a comprehensive, current, and accurate knowledge base of your business value chains and the critical assets that enable a business to function. This represents your organization’s attack surface and, therefore, the potential opportunities for an adversary to steal, manipulate, or disrupt your key systems, people, data, and workflows. This attack surface also extends through to your larger business ecosystem (including your customers, supply chain, and industry peers).

Know thy enemy. Seek out credible intelligence on adversaries and triangulate this information across multiple sources. Strategic advisory groups, external data-sharing platforms, and a consortium of peers can help your organization build a better understanding of who, how, and why a criminal group might attack your business.

Plan for the worst, hope for the best. Analytically based intelligence and empirical data makes it possible to prioritize preventative countermeasures—and measure their efficacy. By building a comprehensive map of scenarios mapped to controls, it becomes easier to identify commonalities and redundancies, and therefore, improve consistency of coverage and realize operational efficiencies.

Drill your defense strategies. Rehearsing predicted scenarios and plans to prevent, detect, and respond to attacks can create opportunities to challenge old assumptions and refine solutions. By socializing these learnings, businesses can raise awareness on new threats and cultivate a culture that supports core goals and objectives. 

By taking the above steps, organizations can proactively build an ecosystem of security to match—and possibly eventually exceed—the criminal elements they are charged with thwarting.

Global Financial Advisory

Deloitte’s end-to-end advisory solutions help unlock and preserve value in mergers and acquisitions, restructuring, investigations and disputes.