Open Source Intelligence for financial risk assessment

Read this article in its Magazine format

Mongoose Global Intelligence

As compliance regulations become more stringent in response to increased global activity in terrorism, money laundering, narcotics and tax evasion, financial institutions have no choice but to mitigate their exposure to regulatory sanctions, heavy fines and reputational risk through in house financial risk assessment.

Compliance officers need to access timely, accurate and relevant information to enable them to make the decision that their clients are screened accurately for any breaches of protocol with regards to full regulatory compliance.

Mongoose Global Intelligence, by leveraging its expertise in the field of Open Source Intelligence, has the ability to provide financial service institutions, fund administrators, legal and accountancy firms, government departments and enforcement agencies access to reliable, accurate and relevant data to assist in the decision making process.

There are many definitions used to describe Open Source Intelligence. For me personally, the most concise definition is the following supplied by North Atlantic Treaty Organization (NATO):

‘Open Source Intelligence’ is Information that has been deliberately discovered discriminated, distilled, and disseminated to a select audience, generally the commander and their immediate staff, in order to address a specific question. Open source Intelligence, in other words, applies the proven process of intelligence to the broad diversity of open sources of Information, and creates Intelligence.

NATO was formed in 1949 by the signing of the ‘Washington agreement’ with the sole purpose of creating a political and military alliance to guarantee the security of member states from hostile nations. The founding member states include the United Kingdom and the United States. Presently NATO has twenty eight members.

If we use the analogy of the commander as the chief executive or the head of compliance of a financial institution and we also reiterate the point that it is not just information that is needed but the creation of real intelligence, we then begin to understand that masses of unstructured information derived from open sources is in fact not Open Source Intelligence but open source information (OSINF) and open source data (OSD) which are essentially the raw materials required to create Open Source Intelligence (OSINT).

The importance of this distinction is that the basic information that any individual can find in the public domain is not Open Source Intelligence. Let me explain why.

The collation of open source data is the assembly of data that has not been aggregated, analysed or refined. This is typically the first stage in the development of Open Source Intelligence. In the second stage the data is transformed to open source information. In this stage, data from the original source is edited, validated, processed and packaged and then circulated via the World Wide Web, global media, government reports and academic journals.

To get to the stage of being true bona fide Open Source Intelligence, open source information has to be analysed, aggregated, clustered and the relevancy and credibility of the data sources must be validated. This analysis process enables a targeted and cohesive set of true Open Source Intelligence to be delivered to the relevant intelligence operative, military commander, politician, government agency, regulatory body, corporate executive or compliance department.

What is important is real intelligence not just information.
We are presently in the midst of an unprecedented period of growth in the Open Source Intelligence world. Never has there been so much information available from a variety of sources. The World Wide Web has revolutionised the process of gathering both open source data and open source information.

Think about this statistic. Only an estimated six per cent of the available open source data on the world wide net is readily accessible through popular search engines such as Google, Yahoo or Bing. This leaves an astounding ninety four per cent of the available information essentially inaccessible.

All of this is a far cry from the origins of the Open Source Intelligence world which dates back to the late 1930s led by pioneering work at Princeton University. In 1941 the Foreign Broadcast Intelligence Service (FBIS) was formed to monitor radio signals on a global basis and was used as the primary intelligence source during World War II.

Let us look at the present day uses of Open Source Intelligence with regards to financial risk assessment and compliance.

Regulatory compliance mandates require financial service institutions, law and accounting firms and similar organisations to conduct due diligence checks and compliance screening on all prospective clients. These regulatory requirements include Know Your Customer (KYC), Anti Money Laundering (AML), Politically Exposed Persons (PEP) and Countering the Financing of Terrorism (CFT).

KYC requires financial institutions and service providers to check international government watch lists for known money launderers, terrorists and criminals. Auditable proof must be provided that potential clients have not been involved in illegal activities, are not listed on any sanctions lists and that their identity can be verified. The US Patriot Act (2001) adopted in response to the September 11, 2001 terrorist attacks expanded and strengthened US measures to prevent, detect and prosecute international money laundering and the financing of terrorism, both in the US and abroad. KYC was no longer a suggested course of action but a mandate requiring financial institutions to implement a client verification programme.

The KPMG Global Anti Money Laundering Survey (2007) states that US$1 trillion is being laundered by financial criminals per year. Anti money laundering regulations, although having been to some extent in existence for some years, have more recently led to unprecedented levels of cooperation between a number of nation states. As terrorism may be financed on a global scale, compliance regulations must therefore also operate globally. The USA Patriot Act became a landmark for worldwide AML regulation. As such, financial, banking and investment institutions are required to establish an AML programme, verifying the identity of clients, reporting suspicious activity and using enhanced due diligence for certain transactions.

In the UK, AML regulations are enforced by The Proceeds of Crime Act (2002) and The Financial Services and Markets Act (2000). Legislation has been strengthened by the Second and Third EU Money Laundering Directives. As with the Patriot Act, financial communities are required to report suspicious activity, a complex requirement as there is such a broad definition of what constitutes money laundering. Further to being compliant in their business dealings, financial entities seek to avoid reputational damage which arises from association with drug traffickers, arms dealers, financial criminals, organised crime syndicates and the funding of international terrorism.

PEPs (Politically Exposed Persons) are considered to be high risk in the current heightened regulatory environment. The Financial Action Task Force (FATF), the US Patriot Act and the EU Directives similarly define a PEP as a current or former senior official in the executive, legislative, military or judicial office of a government, a senior official of a major foreign political party, a senior executive of a government owned commercial enterprise, an immediate family member or a close personal or professional associate of such an individual.

If a potential client is discovered to be a PEP through initial KYC checks then financial institutions are required to conduct enhanced due diligence. After identifying a PEP, regulations require financial organisations to ensure sources of the individuals’ wealth are transparent and are not derived from criminal or corrupt sources. PEP risk management is an ongoing process as all transactions carried out by such individuals must be scrutinised. Apart from the very real risk of reputational damage associated with dealing with corrupt PEPs, financial service providers may be liable for heavy fines when engaging in business with PEPs without ensuring adequate KYC and enhanced due diligence procedures.

Meeting compliance regulations requires that an organisation knows the history and background of individuals and entities it wishes to conduct business with, and to demonstrate that it has completed these checks and screenings. This presents a considerable operational challenge to any organisation. Many organisations seeking to meet their legal and compliance obligations use an information system structured to provide financial risk and compliance intelligence.

A number of such systems exist and provide information and intelligence that enable an organisation to assess and address the relevant regulations. It is, however, a considerable challenge to gather and provide targeted, accurate results suitable for financial compliance. Intelligence data needs to be retrieved, extracted, cleansed and indexed for a fast and accurate search. How effectively and efficiently each of these steps is executed is an important criteria in the selection of a compliance system.

Since 11 September 2001, there has been greater cooperation and regulatory expectations between nations to enforce the Foreign Corrupt Practices Act (FCPA) and the countering of financial terrorism (CFT). CFT compliance legislation includes the USA Patriot Act, the UNSC Resolution (2001), the UK Terrorism Act (2000) and the Third EU Money Laundering Directive. These regulatory measures have created many additional compliance requirements for financial institutions. Notably, unlike with laundered monies, where the source is clandestine, money used to finance terrorism can come from legitimate sources.

Authorities around the world are becoming more demanding in their compliance requirements and imposing heavier sanctions on institutions that are not clear, thorough and auditable in their compliance procedures. Significant penalties and fines include UBS $780 million, Credit Suisse $536 million, Lloyds $350 million and Wachovia $110 million (all figures in US dollars).