Financial institutions can uncover unique intelligence in the fight against financial crime – they have an unrestricted view of the movement of money, making it possible to spot unusual behaviour.
But effectively identifying suspicious activities requires huge volumes of data to be reviewed as part of standard fraud or AML procedures. So, most financial institutions introduce automated tools that can isolate the customers behaving unusually, from the majority of customers behaving in a ‘normal’ way.
This approach requires a robust understanding of ‘normal’ behaviour that can be codified within the model. Normal behaviour may be summarised as a customer acting with economic rationale. But defining normal customer behaviour isn’t simple – different customers behave in different ways at different times for valid reasons, so one size doesn’t fit all.
That means automated tools must look for a set of indicators that’s broad enough to cover different people and businesses yet detailed enough to identify genuinely suspicious behaviour. If the indicators are too loose, you’ll sacrifice efficiency and effectiveness as the tool triggers false positives. Too narrow and you’ll face operational challenges as the tool becomes hard to understand and maintain.
So, how can financial institutions define and codify normal behaviour when it’s highly variable across customers?
Identify your indicators
You can’t define normal customer behaviour in any given circumstance, it needs to be inferred from indicators. To spot these indicators, financial institutions typically use one of three strategies, each of which comes with its own set of benefits and drawbacks:
1. Historical comparison
One of the most obvious indicators is a change in recent behaviour. Behaviour that deviates significantly from a customer’s previous patterns can indicate suspicious activity. For example, if a customer’s credit transactions are reviewed, comparison to a metric calculated from previous turnover could be used as an indicator. This can be highly effective and the data should be reliable and straightforward to procure.
But this approach has limitations. For example, financial institutions won’t have historical data for new customers and they won’t be able to identify customers who have always been engaged in suspicious behaviour. Relying on this type of indicator could continue to mask the behaviour by normalising the outputs, making detection hard.
2. Peer comparison
An alternative strategy is to compare a specific customer’s behaviour to that of their peers. Patterns of behaviour for an individual customer deviating significantly from their peers’ under similar circumstances may indicate a risk.
This strategy requires a model to define which peer group each customer belongs, so approaches vary depending on the type and availability of the referential data. For example, you could group business customers by their industry classifier codes (eg. SIC).
However, defining and maintaining a stable model that’s not too broad or too niche, and uses reliable and up-to-date data, is often challenging. For example there are over 700 SIC codes so the categorisation may be too broad. At the same time, poor quality data can limit the effectiveness. And people aren’t uniform, so the behaviour of some outliers could be legitimate, limiting the efficiency.
3. Customer-derived inputs
A third strategy is to check for deviations against the customer’s expectations for their behaviour. Under UK money laundering regulations, banks must assess how each customer intends to use their account (purpose and intended nature), which usually occurs during onboarding. A customer’s actual behaviour deviating significantly from their self-declared expected behaviour may indicate a risk.
But this approach relies on information provided by the customer, which can be hard to verify and quickly goes out of date as people’s or business’s circumstances change. The information may even be flawed if customers intentionally inflate their expected business activity in the hope of winning better contractual terms. Also a prospective customer opening an account intended to conduct illicit transactions is unlikely to define their expected behaviour in a way that may later attract attention.
A blended strategy will best highlight suspicious behaviour
There’s no perfect way to identify unusual behaviour – each strategy has benefits and drawbacks when determining deviation from normal behaviour. So, the most effective risk mitigation strategies incorporate a mix of all three. More indicators means a broader base of sources from which to build up and quantify a more complete understanding of the customer’s behaviour. This approach not only helps investigators to spot and contextualise more suspicious behaviour, but also to prioritise the most suspicious cases.