What Is Financial Crime Risk Management (FCRM)?

Financial Crime Threat Landscape

What are the types of financial crime?

In simplest terms, financial crime is the practice of taking money or property illegally from another person or organization for one’s own benefit. Among the major types of financial crime are: money laundering, terrorist financing, fraud, bribery and corruption, market abuse and insider trading, tax evasion, embezzlement, counterfeiting, identity theft and electronic crime. These crimes can be executed both by external attackers or internal employees, including leaders at the very top of the business.

Financial crime also incorporates a range of less-serious criminal activities. While the cost or legal ramifications may not be as high as with the major types listed above, the following behavior falls under the under the umbrella of financial crimes:

• Personal purchases. Employees use company funds to buy items that aren’t work-related.
• Theft. Employees steal money (e.g., from a cash register or safe) or items from the business to sell for cash.
• Skimming. Employees take a little off the top of each transaction, usually in amounts that are small enough to go undetected, but which add up over time — a particular problem in cash-based retail businesses.
• Payroll schemes. A payroll employee creates a fake worker and then diverts the fake worker’s paychecks into a bank account that they can access. In other cases, payroll issues non-approved checks or bonuses, or overstates an employee’s hours.
• Billing schemes. Employees submit false invoices that the business then pays, and the employee or an accomplice receives the payment.
• Forgery. Employees sign or reproduce documents using someone else’s signature. Documents might include timesheets, expense reports, contracts and even checks.

Meanwhile, financial crime perpetrators tend to range from petty thieves to heavy-hitting global crime syndicates:

• Organized criminals: large-scale operations that can include powerful, dangerous people.
• Individual criminals: includes hackers with no connection to the organization, or customers, suppliers or contractors with some knowledge of the business.
• Business leaders: includes executives or board members stealing from the company or misrepresenting how an organization is performing (e.g., manipulating financial data to exaggerate profits).
• Employees: typically involves stealing funds in some way and taking steps to cover their tracks (e.g., skimming). Outside criminals often target employees as partners to help carry out these activities.

^{Financial crime and fraud are common in numerous industries.}

What is the true cost of financial crimes?

Financial crimes have a significant impact on an organization’s revenue. According to a 2018 PwC Global Economic Crime and Fraud Survey, 49% of respondents said their companies had been victims of fraud or economic crime — up from 36% in 2016 — while 64% of respondents said losses directly due to fraud could reach at least $1 million. In addition, 46% of respondents to the PwC survey said their organization spent at least the equivalent or more on investigations and other preventative measures of what they directly lost to the fraud itself. And 52% of all fraud is perpetrated by people inside the organization.

Those breach detection and cleanup expenses, compliance penalties and lawsuits often take a large bite out of profits. What’s more, the damage to the organization’s reputation can last for years.

^{Financial fraud is costly to enterprises and on the rise.}

The Role of Compliance

What is financial crime compliance?

Financial crime compliance is the process of ensuring that your organization is meeting the standards, policies and regulations (both internal and external) that apply to your industry and organization.

In the United States, the Financial Crimes Enforcement Network (FinCEN) lays the groundwork for financial crime compliance:

• The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, requires financial institutions to work with the U.S. government in cases of suspected money laundering and fraud.
• The U.S. Patriot Act puts forth measures to “to prevent, detect, and prosecute international money laundering and financing of terrorism.”
• Know Your Customer (KYC) is a portion of the Patriot Act that requires businesses to verify the identity of customers and understand the nature of their activities.

Every financial institution is exposed to AML risk, largely driven by three factors:

• Products and services have moved online. Offerings that are more consumer-friendly, such as online pre-qualifications and mobile payments, are more complicated to monitor than cash transactions.
• Compliance is deprioritized. Financial institutions cut resources allocated to compliance in an effort to undercut their competitors and offer better deals.
• Remaining compliant presents challenges. The sheer amount of customer and transaction data is simply too much for organizations to manage compliantly, much less parse and use to investigate suspicious activity.

As a result, organizations aren’t doing what’s necessary to meet AML compliance — which can lead to hefty penalties. Thus, it’s critical that financial institutions:

• Establish internal policies and procedures designed specifically to prevent money laundering.
• Employ AML investigators and support them with AML software that can process data quickly and efficiently.
• Train employees on an ongoing basis to both understand money laundering and know what to if they suspect something is wrong.
• Maintain a strict system of record keeping and reporting.

What does an AML analyst do?

An AML analyst, also referred to as an AML investigator, focuses on monitoring, investigating, and acting on suspicious financial activity. Being an AML analyst requires a firm understanding of the business, how it operates, its clients, and its products and services. Duties might include:

• Establishing and interpreting procedures and protocols to the rest of the staff to reduce risks.
• Documenting client transactions.
• Explaining to regulators and auditors what they’re doing to prevent money laundering and other crimes.
• Ensuring that the organization is adhering to all AML regulations.

^{Monitoring fraud gives you a clear picture of your financial crime risk environment.}

The laws set the precedent for how your organization can prevent and address financial crimes within your organization. Knowing which rules apply to you, monitoring changes in the laws, and building awareness about them across the organization are your top priorities. These best practices will also help you prevent criminal activity:

• Start at the top: The most effective FCRM strategies have buy-in from everyone, from frontline employees all the way up to the C-suite, with executives actively engaged in the process. Security staff should have plenty of facetime with business leaders to discuss pain points and vulnerabilities, and executives should have access to intelligence reports that provide a clear picture of how the organization is addressing threats.
• Assign clear responsibilities and roles: Offer employees ample opportunities to speak up when they see suspicious activities, while providing adequate training to employees who are accountable for both identifying and managing financial crime threats. Train all employees on the company’s FCRM policies, how they specifically apply to their role in the organization and how to spot criminal activity.
• Create cross-departmental teams: IT plays a huge role in financial crime prevention, as do legal and compliance teams, but you should also include employees from customer service, HR, sales, accounting, business development and other groups, especially as you examine all possible risk scenarios.
• Review third-party vendors: The vendors with whom you do business could expose you to liabilities, so ensure they comply with the same regulations as your organization.
• Support your financial crime and AML analysts with technology: Invest in fraud detection, AML solutions and security automation, among other things. The less time your analysts spend on dead ends, false positives and repetitive tasks, the more they can focus on real threats and compliance activities.

A financial crime risk assessment is a systematic, step-by-step process of analyzing an organization’s vulnerability to financial crime. To perform a financial risk assessment, you’ll need to take the following steps:

Identify your risks: You need to both understand and document risks, based on the complexity of your organization, the market you are in, the services and products you provide, and how much of your business is conducted online. Looking at past incidents within your organization, and the general proliferation of these financial crimes in the market, you’ll need to estimate your risk level for each of the following:

• Money laundering
• Terrorist financing
• Fraud
• Bribery and corruption
• Market abuse and insider trading
• Tax evasion
• Embezzlement
• Forgery
• Counterfeiting
• Identity theft
• Electronic crime
• Personal purchases
• Theft
• Skimming
• Payroll schemes
• Billing schemes

Once you have documented your risks, you can prioritize them, based on which pose the biggest threat.

Establish protective measures to mitigate your risks: With full awareness of where you are most vulnerable, you can plan that controls and systems that you will implement to prevent financial crimes within and against your organization. These controls can include:

• Assigning responsibility to individuals for ensuring compliance. (e.g., will you assign the work to a security team member or hire a new AML analyst)
• Establishing organization-wide policies and procedures.
• Implementing customer due diligence (CDD) and enhanced due diligence (EDD) to ensure that you’re capturing all the customer information needed to assess risk.
• Creating effective management information (MI) reports that provide both data and context.
• Providing adequate training to employees across the organization beyond IT so that they know how to recognize and report financial crimes.

Review and improve controls: Your organization should conduct regular audits to ensure that the controls you have put into place are addressing new risks. As the market and overall environment changes, you need to create new procedures and policies to address new issues and ensure compliance.

Monitor and report: It’s imperative that you monitor the effectiveness of your controls, so document suspicious activity and the steps you’ve taken to resolve the issue. Proper reporting is required under various compliance regulations, so it’s critical to have that information readily available.

FCRM tools enable security staff to proactively identify potential vulnerabilities, examine activity continuously, perform ongoing risk assessments, and manage and respond to questionable activity. Here’s a breakdown of their capabilities:

Detect threats in real time: FCRM systems instantly detect suspicious activity — even on large volumes of transactions — and send alerts to security personnel who can then decide what action to take next.

• Uncover anomalous user behavior. Some FCRM tools use advanced behavior analytics and machine learning to detect malicious or unusual behavior associated with users, devices and applications.
• Improve investigation efficiency and results. The best FCRM solutions allow you to quickly search through massive amounts of current or historical machine data to find financial crimes.
• Reduce alert fatigue. You can establish custom rules and automation routines to reduce repetitive alerts and false positives.
• Adhere to fraud and AML compliance regulations. The FCRM solution brings order to unstructured data, enabling you to adequately meet regulations.
• Provide analytics and reporting. With FCRM solutions, you can easily analyze, measure, and manage financial crime risks and share critical information with stakeholders across the organization.

FCRM solutions helps to combat financial crime in two ways — it clears away much of the noise so analysts can focus on financial crime prevention strategy and compliance, and it offers better visibility and insight, while alerting analysts when suspicious behavior occurs.

Here is how FCRM technology helps to prevent these common crimes:

• Electronic payment fraud. According to Fiserv,  Automated Clearinghouse (ACH) fraud accounts for annual losses exceeding $1.2 billion. FCRM solutions allow you to more easily detect, investigate and resolve attempts to steal funds through ACH and wire (Fed and SWIFT) transactions.
• Fraud. FCRM tools continuously aggregate cross-channel data about customers and accounts to create behavior profiles, then automatically look for unusual patterns of behavior and key indicators of fraud risk.
• Electronic crime. You can set up custom rules and alerts to flag specific behaviors so that your analysts can investigate them.
• Money laundering. FCRM tools with AML capabilities can be used to identify high-risk individuals by pulling from historical data to pinpoint suspicious patterns in customer transactions, as well as locating and identifying specific transactions.
• Terrorist financing. Strong FCRM solutions provide a sanction list or blacklist and check activity on an organization’s accounts against it. If a match occurs, the solution will hold payments until an authorized person releases or denies the payment.
• Bribery and corruption. FCRM tools make it possible for investigators to identify connections between contractors or public officials and pinpoint unusual payment patterns that could indicate the organization is paying or receiving bribes.
• Market abuse and insider dealing. FCRM solutions help you manage employee trades and compare them in real time against activities in the securities market to investigate potential illegal trading.

When it comes to choosing an FCRM solution, the platform you choose will be heavily dependent on your needs, making it imperative to conduct a thorough risk assessment before you begin researching tools. Here are some of the features you’ll also want to consider:

• Reliable and complete data. Look for tools that use advanced behavior analytics and machine learning to create thorough, real-time, 360-degree profiles of the people and entities with whom you do business.
• Customized dashboards and painless reporting. Among other things, you will need high-level overviews, trend analysis statistics, and workflow-based reports, along with the ability to drill down, access specific data to support an investigation and pull reports for compliance requirements.
• Regulatory compliance features. FCRM tools enable you to comply with local, state, federal and international regulations. Choose a vendor that offers you the ability to rapidly retrieve log data and generate reports for auditor requests.
• User-friendliness. You want a straightforward platform that works the way you need it to work, offering customization and an intuitive interface. Make sure that any vendor you choose is also committed to providing ongoing training and support so you get the most from your investment.

The Bottom Line

Take financial crime seriously

Customers expect a safe, real-time, omni-channel experience. E-commerce and digital data transactions create new challenges in assessing and managing your financial crime risk. That said, this isn’t something you can put off or ignore.

Regulators will hold your organization responsible for any financial crimes that happen on your watch, even those that come from outside forces. Adopting an FCRM solution makes it easier to identify, respond to and prevent those threats, while ensuring that your organization remains compliant — even with a growing and increasingly complex array of regulations.

Check out these resources on financial crime prevention:

• A Guide to Fraud in the Real World
• A Little Fraud Goes a Long Way: What You Need to Know About Fraud Detection
• Demystifying Compliance: Compliance Myths, Mandates, and Considerations
• Overcoming the Compliance Visibility Challenge