http://www.legislation.gov.uk/ukpga/2002/29/section/342
"Offences of prejudicing investigation(1)This section applies if a person knows or suspects that an appropriate officer or (in Scotland) a proper person is acting (or proposing to act) in connection with a confiscation investigation, a civil recovery investigation, a detained cash investigation, a detained property investigation, a frozen funds investigation, an exploitation proceeds investigation or a money laundering investigation which is being or is about to be conducted.(2)The person commits an offence if—(a)he makes a disclosure which is likely to prejudice the investigation(b)he falsifies, conceals, destroys or otherwise disposes of, or causes or permits the falsification, concealment, destruction or disposal of, documents which are relevant to the investigation."
When I joined a leading global Correspondent Bank less than two years ago, I was shocked to see the poor level of Internet Investigation and Intelligence (i3) aka Open Source Intelligence (OSINT) skills and lack of tradecraft within the AML Investigations department.
The in-house AML investigators had little to no knowledge about digital footprints and they had only received a crammed day's worth of OSINT training, of which they self-admittedly only retained very little. information. Nobody was championing Open Source Intelligence collection techniques and promoting good tradecraft within the bank. So it came as little surprise to me that, when adopting some of the quick and easy 'Adverse Media' Boolean Operator searches learned in their 1-day OSINT input, nobody within the AML investigations team had really given much thought as to what they were actually entering into the search engine, nor how to covertly proceed with the results it displayed.
So 'why is this a problem?', you may ask.
The role of the AML investigator within a financial institution is to check suspicious transactions to assess whether the transferred funds for the purpose of laundering money. To cut a long story short, financial institutions have means to monitor and screen transactions and to raise alerts if any 'red flags' are hit. AML investigators then review these alerts and either confirm or negate the suspicion. In the event of continued suspicion after an initial investigation, the financial institution would submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA).
The issue arises after an internal alert has been raised and an AML investigator is assigned the task of reviewing the nature of the transaction and identifying any adverse media about its sender and recipient. After conducting all of the relevant internal checks, the AML investigator typically undertakes OSINT research, which is arguably THE key method of identifying adverse media and information. Yet, important as OSINT is to the AML process, few AML investigators actually understand the concept of covert online investigations and good OSINT tradecraft. Nor have many received formal training in OSINT research, which is a massive failing of the financial institution itself.
When I arrived at said bank, no consideration had been given to the digital footprint of the financial institution's IP address being plastered all over any website they visited. Most major global organisations tend to use static IP addresses that immediately identify the company and its location. And at that bank, this was no different. This becomes particularly problematic if the AML investigator visits any website that may be under the direct control of the entity under investigation.
I personally treat any website under the potential control of an 'investigation suspect' as 'hostile'. By hostile, I mean a person who is likely to have control over the website and its web analytics or would be in a position to task someone to review such analytical data on their behalf. So, if a money launderer wired money to an associate knowing it was tainted, one should reasonably assume that the money launderer would put systems in place to warn them of any investigative action, including monitoring their web traffic for classic indicators of someone snooping around. Therefore, it wouldn't take them long to realise that the IP of a large correspondent bank had looked at their site.
But I am not just talking IP address digital footprints here. It is also the use of the search engine and how the AML investigator makes his or her way to the website having entered some 'keywords'.
Let's take a step back to that 'Adverse Media' Boolean Operator I mentioned above: This is where the actual knowledge of the transaction comes into play. The AML investigator would typically go to Google and enter the following search criteria (or something to this effect):
"John Smith" + "John Doe" + (launder OR crime OR convict OR fraud OR drugs OR narcotics OR extort OR blackmail OR embezzle OR theft) - NOTE THESE ARE FICTITIOUS NAMES USED FOR THE PURPOSE OF THIS EXAMPLE.
Then they would hit the search button and wait approximately 0.67 seconds for Google to perform its magic and tell them there were either 'No matches" or anything up to around 9.873,513 hits (as if they'd spend the rest of their lives reading all of those!).
Now, I have witnessed some AML investigators who quite literally take the 'No matches' result as a given and write the case off with the comment 'No adverse media identified', case closed. But that is not my point with this post, as shocking as it may be.
My real point of concern is the whole search engine process - from when the AML investigator enters the 'Adverse Media' Boolen Operator search, to getting potential hits, and how they go about reviewing them.
First of all, the connection between 'John Smith' and 'John Doe' might just turn out to be highly sensitive information that only the two parties know existed for the purposes of making that one single transaction. The only other persons able to make the link between the two would be the financial institution(s) handling the transaction.
So what actually happens in the Google search engine when hitting the search button on the above Boolen operator search term? Well, it actually changes the url to the following: https://www.google.com/search?rlz=1C5CHFA_enGB867GB867&ei=Oz_9XcjIJI-hgAa44augCw&q=%22john+smith+%2B+%22john+doe%22+%2B+%28launder+OR+crime+OR+convict+OR+fraud+OR+drugs+OR+narcotics+OR+extort+OR+blackmail+OR+embezzle+OR+theft%29&oq=%22john+smith+%2B+%22john+doe%22+%2B+%28launder+OR+crime+OR+convict+OR+fraud+OR+drugs+OR+narcotics+OR+extort+OR+blackmail+OR+embezzle+OR+theft%29&gs_l=psy-ab.3..0i22i30.62923.82387..84195...1.0..0.207.802.4j2j1......1....1j2..gws-wiz.......0i8i30.NZw2dJxcp-8&ved=0ahUKEwiI0uzwl8XmAhWPEMAKHbjwCrQQ4dUDCAs&uact=5
Effectively, Google just ingested your search term and is using this information to inform its search algorithms to assist future searches. So it might just be that the next time someone starts typing "John Smith", Google will suggest the rest of the search terms. So if 'John Doe' were to do that, his search engine might already be telling him that someone has searched on his details and those of 'John Smith'. Moreover, 'John Doe' might also see the other baggage of information included in that search term, which makes reference to various types of criminality? At this point, 'John Doe' or 'John Smith' might at least raise an eyebrow, given their knowledge of what they have done. Could it be argued that they might change their behaviour as a result - possibly yes.
But there is more: About 99% of AML investigators I have met quite literally just click on the nice big blue hyperlink presented to them in the research results of the search engine. Well, surprise! - By clicking on the result, the package of data you have already put into Google (your 'keywords') and its newly created url with all of that juicy data included, gets forwarded onto Google's analytics storage facilities of which sites were visited using which keywords. And let's just say two of those visited sites were hostile, namely 'JohnDoe.com' (controlled by 'John Doe') and 'JohnSmith.com' (controlled by 'John Smith').
Back in the day, the website owners would have routinely been able to see the 'keywords' entered into the search engine when using Google Analytics. Since about 2013, Google has stopped making this data immediately available to website owners using the free Google Analytics tool. But it doesn't mean to say that these details are not available to the website owner. This Crazy Egg Blog highlights a number of simple-ish ways to get around these Google restrictions so that the website owner can actually get access to those all-important 'keywords' entered into the search engine to land on their site:
So let's stop and consider what has just happened:
- John Doe wires John Smith a transaction of $150,000. Only John Doe and John Smith know of their relationship. It is not publicly known. This transaction is the first and only time they can ever be associated with each other.
- The transaction raises an alert within the Correspondent Bank BigBank PLC, and is assigned to the AML Investigator.
- The AML Investigator conducts OSINT research. They visit Google and enter the search term "John Smith" + "John Doe" + (launder OR crime OR convict OR fraud OR drugs OR narcotics OR extort OR blackmail OR embezzle OR theft)
- The AML investigator clicks on the hyperlinked result leading to website JohnDoe.com
- JohnDoe.com is reviewing all website activity as the webpage and company only acts as a front for a money laundering operation. The website is rarely visited or searched for. John Doe sees incoming traffic onto the site from IP address 222.222.22.2 (this is a made-up IP address for this example). This IP address is identifiable as the static IP address for 'BigBank PLC'. The Keyword search results list the search terms used by this visitor to the site to have included references to "John Doe" and "John Smith" as well as Keywords: "launder", "crime", "convict", "fraud", "drugs", "narcotics", "extort", "blackmail", "embezzle", and "theft".
- John Smith.com is reviewing all website activity as the webpage and company only acts as a front for a money laundering operation. The website is rarely visited or searched for. John Smith sees incoming traffic onto the site from IP address 222.222.22.2 (this is a made-up IP address for this example). This IP address is identifiable as the static IP address for 'BigBank PLC'. The Keyword search results list the search terms used by this visitor to the site to have included references to "John Doe" and "John Smith" as well as Keywords: "launder", "crime", "convict", "fraud", "drugs", "narcotics", "extort", "blackmail", "embezzle", and "theft".
- John Doe and John Smith, having effectively been alerted by the web searches, start destroying records and move to a jurisdiction that does not support extradition to the UK.
- BigBank PLC submits a SAR to the NCA
- The NCA initiates an investigation into John Doe and John Smith on the grounds of suspected Money Laundering offences. As they attempt to arrest them, they are identified as having left the country and no documentation was retrievable.
I am not saying that this is always the case but given the nature of the type and seriousness of criminality we are generally dealing with here, it is reasonable to assume that those involved in complex money laundering activity will seek to protect themselves and be extremely wary of any form of investigative activity - especially on their respective websites.
So the potential offence under POCA s342 comes into play because the AML investigator has already formed a suspicion of money laundering. Moreover, if the AML investigator and their respective bank actually submit a SAR, then it is reasonable to assume that both the AML investigator and bank "knows or suspects that an appropriate officer or [...] is acting (or proposing to act) in connection with [...] a money laundering investigation which is [...] about to be conducted.
I argue, therefore, that it is reasonable to assume that an AML investigator or disclosing bank should know that a SAR submission to the NCA may lead to a money laundering investigation (i.e. 'is about to be conducted').
Moreover, poor OSINT search techniques can quite literally publicise any investigative interest in the suspected parties - and if the suspects are cautious criminals, they should be fully aware that they have been rumbled.
As a result, the criminals are likely to take precautionary measures to "permit the falsification, concealment, destruction or disposal of, documents which are relevant to the investigation."
I also argue that an AML investigator and their associated bank's untrained online research is likely to prejudice the investigation.
And before you consider arguing that, as per part 2 of s342 POCA 2002,
A person does not commit an offence under subsection (2)(a) if—(a)he does not know or suspect that the disclosure is likely to prejudice the investigation,
this post has publicised how certain OSINT techniques may prejudice an investigation and effectively negates any argument of 'not knowing' or 'suspecting'.
If you want to know more about more appropriate OSINT research techniques, you might be interested in my "Investigating Illicit Financial Networks" AML OSINT Training Course .
No comments:
Post a Comment