Financial crime risk management (FCRM) is the practice of proactively looking for financial crime, including investigating and analyzing suspicious activity, rooting out vulnerabilities and taking steps to lower an organization’s risk of becoming a victim.
For organizations in every industry across the globe, an effective FCRM strategy has never been more important. Almost all organizations are doing business online, increasing attack surfaces and making businesses easy targets for cyber threats and cybercrime. Criminals are adopting more stealthy and sophisticated approaches to access critical financial data and cover their tracks.
According to Kroll's 2023 Global Economic Crime and Fraud Survey, 60% of surveyed executives predict an increase in global financial crime over the next 12 months, putting the onus on organizations to protect their data from both external and internal threats and ensure that they’re compliant with regulatory laws. If organizations fail to take the necessary steps to identify and combat financial crime, they could face stiff penalties that reach into the millions and even billions of dollars.
In this article, we’ll look at:
- The various types of financial crimes and their costs
- The role of AML and compliance
- How to perform a financial risk assessment
- How FCRM solutions can help you combat financial crime
We’ll also look at ways you can establish protective measures to mitigate your risk of being a victim of financial crime.
What are the types of financial crime?
In simplest terms, financial crime is the practice of taking money or property illegally from another person or organization for one’s benefit.
Among the major types of financial crime are:
- Money laundering
- Terrorist financing
- Market abuse
- Insider trading
- Tax evasion
- Identity theft
- Electronic crime
These crimes can be executed both by external attackers or internal employees, including leaders at the very top of the business.
Financial crime also incorporates a range of less-serious criminal activities. While the cost or legal ramifications may not be as high as with the major types listed above, the following behavior falls under the umbrella of financial crimes:
- Personal purchases: Employees use company funds to buy items that aren’t work-related.
- Theft: Employees steal money (e.g., from a cash register or safe) or items from the business to sell for cash.
- Skimming: Employees take a little off the top of each transaction, usually in amounts that are small enough to go undetected, but which add up over time — a particular problem in cash-based retail businesses.
- Payroll schemes: In other cases, payroll employees issue non-approved checks or bonuses, or overstate an employee’s hours.
- Billing schemes: Employees submit false invoices that the business then pays, and the employee or an accomplice receives the payment.
- Forgery: Employees sign or reproduce documents using someone else’s signature. Documents might include timesheets, expense reports, contracts and even checks.
Meanwhile, financial crime perpetrators tend to range from petty thieves to heavy-hitting global crime syndicates:
- Organized criminals: Large-scale operations that can include powerful, dangerous people.
- Individual criminals: Includes hackers with no connection to the organization, or customers, suppliers or contractors, but with some knowledge of the business.
- Business leaders: Includes executives or board members stealing from the company or misrepresenting how an organization is performing (e.g., manipulating financial data to exaggerate profits).
- Employees: Typically involves stealing funds in some way and taking steps to cover their tracks (e.g., skimming). Outside criminals often target employees as partners to help carry out these activities. The employee could be complicit in this or be unknowingly targeted to carry out criminal activity, e.g., a bad actor pretending to be the CEO or a business leader to gain access to secure info (phishing).
(Corporate espionage poses a substantial risk, learn how to protect yourself.)
Financial crime compliance cost trends
Financial crime compliance is the process of ensuring that your organization is meeting the standards, policies and regulations (both internal and external) that apply to your industry and organization.
In 1990, the U.S. Department of the Treasury established the Financial Crimes Enforcement Network (FinCEN), which lays the groundwork for financial crime compliance:
- The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, requires financial institutions to work with the U.S. government in cases of suspected money laundering and fraud.
- The USA PATRIOT Act puts forth measures “to prevent, detect, and prosecute international money laundering and financing of terrorism.”
- Know Your Customer (KYC) is a portion of the Patriot Act that requires businesses to verify the identity of customers and understand the nature of their activities.
Financial crimes have a significant impact on an organization’s revenue — but so can remaining compliant. According to a study performed by LexisNexis, the global cost of financial crime compliance topped $274 billion in 2022, up from $213.9 billion in 2020. That means the global cost has soared 28% in just a couple years.
(LexisNexis 2022 Global Summary)
As financial crimes increase, costs are expected to continue rising into 2023.
Anti-money laundering (AML) compliance challenges and best practices
With constant changes in technology, increases in financial crimes and expanding regulations, maintaining compliance can be an ongoing battle. As an example, recent trends have made achieving anti-money laundering (AML) compliance substantially more difficult.
The United Nations estimates that the amount of money laundered in one year is 2% to 5% of global GDP or $2 trillion in current US dollars. Because of this, organizations need to meet stringent anti-money laundering (AML) compliance requirements — otherwise, they might face heavy penalties.
However, AML compliance is becoming increasingly difficult to achieve for several reasons, including:
- Products and services have moved online: More consumer-friendly offerings, such as online pre-qualifications and mobile payments, are more complicated to monitor than cash transactions.
- Compliance is deprioritized: Financial institutions cut resources allocated to compliance to undercut their competitors and offer better deals.
- Remaining compliant presents challenges: The sheer amount of customer and transaction data is simply too much for organizations to manage compliantly, much less parse and use to investigate suspicious activity.
To help achieve AML compliance, companies should:
- Establish internal policies and procedures designed specifically to prevent money laundering.
- Employ AML investigators and support them with AML software that can process data quickly and efficiently.
- Train employees on an ongoing basis to both understand money laundering and know what to do if they suspect something is wrong.
- Record keeping and reporting should be strictly maintained.
How to assess your financial crime risk
A financial crime risk assessment is a systematic, step-by-step process of analyzing an organization’s vulnerability to financial crime. To perform a financial risk assessment, you’ll need to take the following steps:
Identify your risks: You need to both understand and document risks, based on the complexity of your organization, the market you are in, the services and products you provide, and how much of your business is conducted online. Looking at past incidents within your organization, and the general proliferation of these financial crimes in the market, you’ll need to estimate your risk level for each of the following:
- Money laundering
- Terrorist financing
- Bribery and corruption
- Market abuse and insider trading
- Tax evasion
- Identity theft
- Electronic crime
- Personal purchases
- Payroll schemes
- Billing schemes
Once you have documented your risks, you can prioritize them, based on which pose the biggest threat.
Establish protective measures to mitigate your risks: With full awareness of where you are most vulnerable, you can plan the controls and systems that you will implement to prevent financial crimes within and against your organization. These controls can include:
- Assigning responsibility to individuals for ensuring compliance. (e.g., will you assign the work to a security team member or hire a new AML analyst)
- Establishing organization-wide policies and procedures.
- Implementing customer due diligence (CDD) and enhanced due diligence (EDD) to ensure that you’re capturing all the customer information needed to assess risk.
- Creating effective management information (MI) reports that provide both data and context.
- Providing adequate training to employees across the organization beyond IT so that they know how to recognize and report financial crimes.
Review and improve controls: Your organization should conduct regular audits to ensure that the controls you have put into place are addressing new risks. As the market and overall environment changes, you need to create new procedures and policies to address new issues and ensure compliance.
Monitor and report: You must monitor the effectiveness of your controls, so document suspicious activity and the steps you’ve taken to resolve the issue. Proper reporting is required under various compliance regulations, so it’s critical to have that information readily available.
What is a FCRM system?
FCRM tools enable security staff to proactively identify potential vulnerabilities, examine activity continuously, perform ongoing risk assessments, and manage and respond to questionable activity. Here’s a breakdown of their capabilities:
- Detect threats in real-time: FCRM systems instantly detect suspicious activity — even on large volumes of transactions — and send alerts to security personnel who can then decide what action to take next.
- Uncover anomalous user behavior: Some FCRM tools use advanced user behavior analytics and machine learning to detect malicious or unusual behavior associated with users, devices and applications.
- Improve investigation efficiency and results: The best FCRM solutions allow you to quickly search through massive amounts of current or historical machine data to find financial crimes.
- Reduce alert fatigue: You can establish custom rules and automation routines to reduce repetitive alerts and false positives.
- Adhere to fraud and AML compliance regulations: The FCRM solution brings order to unstructured data, enabling you to adequately meet regulations.
- Provide analytics and reporting: With FCRM solutions, you can easily analyze, measure, and manage financial crime risks and share critical information with stakeholders across the organization.
Using FCRM systems to combat financial crime
FCRM systems help combat financial crime in two ways — they clear away much of the noise so analysts can focus on financial crime prevention strategy and compliance, and they offer better visibility and insight while alerting analysts when suspicious behavior occurs.
Here is how FCRM technology helps to prevent these common crimes:
- Electronic payment fraud: FCRM solutions allow you to more easily detect, investigate and resolve attempts to steal funds through ACH and wire (Fed and SWIFT) transactions. Research suggests that FCRM solutions are working: after peaking in 2019, there has been a gradual decrease in the percentage of organizations being impacted by a payments fraud attack or attempt.
- Fraud: FCRM tools continuously aggregate cross-channel data about customers and accounts to create behavior profiles, then automatically look for unusual patterns of behavior and key indicators of fraud risk.
- Electronic crime: You can set up custom rules and alerts to flag specific behaviors so that your analysts can investigate them.
- Money laundering: FCRM tools with AML capabilities can be used to identify high-risk individuals by pulling from historical data to pinpoint suspicious patterns in customer transactions, as well as locating and identifying specific transactions.
- Terrorist financing: Strong FCRM solutions provide a sanction list or blacklist and check activity on an organization’s accounts against it. If a match occurs, the solution will hold payments until an authorized person releases or denies the payment.
- Bribery and corruption: FCRM tools make it possible for investigators to identify connections between contractors or public officials and pinpoint unusual payment patterns that could indicate the organization is paying or receiving bribes.
- Market abuse and insider dealing: FCRM solutions help you manage employee trades and compare them in real-time against activities in the securities market to investigate potential illegal trading.
Financial crime risk management best practices:
The laws set the precedent for how your organization can prevent and address financial crimes within your organization. Knowing which rules apply to you, monitoring changes in the laws, and building awareness about them across the organization are your top priorities.
These best practices will also help you prevent criminal activity:
Choosing the right FCRM solution
When it comes to choosing an FCRM solution, the platform you choose will be heavily dependent on your needs, making it imperative to conduct a thorough risk assessment before you begin researching tools. Here are some of the features you’ll also want to consider:
- Reliable and complete data: Look for tools that use advanced behavior analytics and machine learning to create thorough, real-time, 360-degree profiles of the people and entities with whom you do business.
- Customized dashboards and painless reporting: Among other things, you will need high-level overviews, trend analysis statistics, and workflow-based reports, along with the ability to drill down and access specific data to support an investigation and pull reports for compliance requirements.
- Regulatory compliance features: FCRM tools enable you to comply with local, state, federal and international regulations. Choose a vendor that offers you the ability to rapidly retrieve log data and generate reports for auditor requests.
- User-friendliness: You want a straightforward platform that works the way you need it to work, offering customization and an intuitive interface. Make sure that any vendor you choose is also committed to providing ongoing training and support so you get the most from your investment.
The bottom line: take financial crime seriously
Customers expect a safe, real-time, omni-channel experience. E-commerce and digital data transactions create new challenges in assessing and managing your financial crime risk. That said, this isn’t something you can put off or ignore.
Regulators will hold your organization responsible for any financial crimes that happen on your watch, even those that come from outside forces. Adopting an FCRM solution makes it easier to identify, respond to and prevent those threats, while ensuring that your organization remains compliant — even with a growing and increasingly complex array of regulations.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.