SAS Money

Laundering
Detection –
Development
Bank of the
Philippines
Scenario Workshop
Farhatullah Mohammed

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Introduction – Farhatullah
Mohammed
 With SAS Middle East since 1996
 SAS AML project consultant since March 2004
 Implemented first AML system outside US
 Conducted requirement gathering workshops for
Guaranty and Skye Bank, Nigeria
 Worked with Versions 1.2 / 1.4 /2.1
 Project consultant for Guaranty and Skye
 Worked with AML projects at:
• Samba Financial Group Saudi Arabia
• Mashreq Dubai (UAE)
• Commercial International Bank Egypt
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Agenda
Day 1
 Anti Money Laundering /Terrorist Financing
Background Overview
 SAS Money Laundering Detection Overview
 SAS Scenarios Workshop Overview
Day 2
 Scenarios Review
 Parameter Selection
Day 3
 Scenario Admin Review
 Issues, Question & Answers
3
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Agenda

 Anti Money Laundering /Terrorist Financing

Background Overview

4
Copyright © 2006, SAS Institute Inc. All rights reserved.
 AML/TF Background
 LSE estimate of $500 Billion per year globally
 Russian estimate of $16 Billion
 Age old problem, but…
 Since 9/11 and the US Patriot Act is now a
matter of regulation
 US, EU Regulations first in place
 Middle East Regulators early political pressure
 Eastern Europe and Far East Regulators now
 Rest of world under pressure to follow
Copyright © 2006, SAS Institute Inc. All rights reserved.
 AML/TF Background
 Peoples Bank of China discovered a ML case
involving over USD633 million
 Russia’s Central Bank has over 60 criminal
investigations and revoked 49 banking licenses
involving USD5.6 billion in 2006
 US FinCen has fined numerous US banks in
2005/2006 (ex. Arab Bank, ABN AMRO)

Copyright © 2006, SAS Institute Inc. All rights reserved.

 AML/TF Background
 ABN-AMRO $84,000,000
• Deficient controls and processes in foreign branches
• Intermediary risks
 Bank Atlantic $10,000,000
• Failure to monitor foreign wires
• Failure to profile and risk rank customers
 Oppenheimer $ 2,800,000
• AML program not sufficient relative to risk profile
• Failed to file Suspicious Activity Reports in timely manner

 http://www.fincen.gov/reg_enforcement.html

Copyright © 2006, SAS Institute Inc. All rights reserved.

 History of Money Laundering
Regulations
 1970 – Bank Secrecy Act (BSA)

 1986 – Money Laundering Control Act

 1992 – Know Your Customer (KYC)

 2001 – USA PATRIOT Act

 2005 – 3rd European Anti-Money Laundering Directive

Copyright © 2006, SAS Institute Inc. All rights reserved.

 So what is Money Laundering?

 Very simply is a result of the proceeds of crime.

 Not all proceeds of crime are laundered
 Crime includes: Tax evasion, Theft, Narcotics,
Racketeering, Fraud, Corruption, Other crime.

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What is Money
Laundering?

“The process by which large amounts of illegally obtained money

(through terrorist activity or other serious crimes) is given the
appearance of having originated from a legitimate source. If done
successfully, it allows the criminals to maintain control over their
proceeds and ultimately to provide a legitimate cover for their source
of income”
- Bank of International Settlements

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What is Money Laundering?
1 Placement
When illicit (“dirty”) monies are deposited at a financial
institution, placement has occurred. It is during the
placement stage that currency enters the financial system
and illegal proceeds are most vulnerable to detection.

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What is Money Laundering?
2 Layering
During the layering stage, a launderer may
conduct a complex web of financial transactions
(“washing of proceeds”) in order to build layers
between the funds and their original source.

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What is Money Laundering?
3 Integration
During the final stage in the laundering
process, illicit funds are integrated (“cleaned”)
with monies from legitimate commercial
activities as they enter the mainstream
economy. The illicit funds thus take on the
appearance of legitimacy. The integration of
illicit monies into a legitimate economy is very
difficult to detect unless an audit trail had been
established during the placement or layering
stages.

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Common AML Compliance Processes
 Detecting illicit activity and unusual behavior
• Known vs. unknown patterns of behavior
 Scrubbing customers against High-Risk lists
 Documenting the Investigation Process
• Audit trails for internal audit and regulatory review
 Filing a Regulatory Report
• SARs, STRs, CTRs
http://www.fincen.gov/reg_bsaforms.html#SAR
 Retain Cases and Documentation for ‘x’ Years

Copyright © 2006, SAS Institute Inc. All rights reserved.

 ML/TF Risks to the Bank

 Negative Publicity

 Personal Liability

 Financial Risk – Fines

 An adverse Effect on the Bank Bottom Line
 Possible international sanctions

 Reputation, Reputation, Reputation !!!

Copyright © 2006, SAS Institute Inc. All rights reserved.

 AML & TF
The key differences between them
Money Terrorist
Laundering Financing
Motivation Profit Ideology
Source of funds From criminal activity From criminal activity,
benefactors and
fundraising
Conduits Formal financial Cash couriers and
systems informal financial
systems e.g.
currency exchanges
Detection focus Suspicious Suspicious
transactions relationships

Courtesy of Money Laundering Alert – July 2005

Copyright © 2006, SAS Institute Inc. All rights reserved.
 AML & TF
The key differences between them
Money Terrorist
Laundering Financing
Transaction Large amounts often Numerous small
amounts structured to avoid amounts
reporting
requirements
Financial activity Complex web There is still no
involving shell workable financial
companies and off- profile available
shore secrecy
havens
Money trail Circular – funds Linear – funds are
inevitably return to generated to be
the originator spent in the pursuit of
terrorism
Courtesy of Money Laundering Alert – July 2005
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Agenda

 SAS Anti Money Laundering/Detection Overview

18
Copyright © 2006, SAS Institute Inc. All rights reserved.
 SAS MLD
Framework KnowledgeInvestigation
Center

Scenarios
Risk Factors
Source Systems
ETL

Alert Generation

Core
Transactions
Accounts
Customers
Groupings
Watch Lists
History

Data Management

Ad Hoc Reporting Administration

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Monitoring Framework

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Data Management

Customer &
Account

Transactions

Relationships

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Architecture Diagram

Operational
SAS Datasets

Data Knowledge
Center

Investigation Client
NT Server
MS /Windows
Core
Alert
Generation
Server Client Tier

Data Management
Processes

Server

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Agenda

 SAS Scenarios Workshop Overview

23
Copyright © 2006, SAS Institute Inc. All rights reserved.
 What is a scenario?

 Scenarios are registered instances of code

intended to identify a specific behavior
 Product scenarios are written to generate a
single alert as soon after the behavior as
possible
 New activity can result in another alert for the
same entity, scenarios require this new activity to
prevent duplicate alerts

Copyright © 2006, SAS Institute Inc. All rights reserved.

 How is a risk factor
different?
 Risk factors are pieces of code intended to
identify a specific type of customer, day after day
 Product risk factors are written to match the
same customer for a configurable time period
when that customer displays the attributes that
differentiate him from a “normal” customer
 Risk factors do more than affect the score
• Provide clues to investigators
• Enable consistent investigative procedures
• Customers with a number of risk factor matches can be
the subject of an alert without a scenario match

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Scenarios vs. Risk Factors

 Scenarios describe less common - and more

suspicious - behavior, and therefore when they
are matched, they generate alerts
 Risk factors describe more common, less
suspicious behavior, so when they are matched,
instead of generating alerts, they raise the risk
score for an entity that also matched a scenario

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Risk Scoring Dimensions

Activity
matched by
scenario
Risk Factors
matched

Other activity at
the same time Previous
activity

Copyright © 2006, SAS Institute Inc. All rights reserved.

 SAS® Anti-Money Laundering
Solution
Risk Ranking

Activity 500
Other activity at
+
the same time
50
Risk Factors
+
present
200
Other previous
+
activity
150

900
Copyright © 2006, SAS Institute Inc. All rights reserved.
 What does a scenario/risk
factor include?
 Three elements comprise a scenario registration
• Prep file definition
• Scenario code
• Scenario parameters
 Implementation teams and customers are free to
make changes to any of these three inputs
(though parameter changes are most common)
 Small changes in any of the three elements can
result in vastly different output
 Tech Support’s ability to respond to scenario
calls relies on as few changes as possible
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Status Quo: Typical Monitoring
Approach

Customers
matching a
scenario
e.g.
Structuring
across
multiple
locations

Exception Reports, Scenarios, or Sentinels

Copyright © 2006, SAS Institute Inc. All rights reserved.

 SAS Monitoring with Risk Factors

“New” Customers
matching a
Risk Factor

Customer
matches-Scenario

Customers
matching
Risk Factor
Exception Reports, Scenarios, or Sentinels
e.g. Multiple
ATM
deposit Risk Factors
locations
in a single day

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Scenarios and Risk Factors in
Practice

2
or

or
n
2
1

ct
rio
rio
io

rio

ct
Fa
Customers

ar

fa
na
na

na
en

sk
sk
Accounts

e
e

Sc
Sc
Sc

Sc

Ri
Ri
Transactions
Filtering

Alert with low risk score

Customers Alert with medium risk score
Accounts Possible alert
Transactions
Alert with high risk score

Customers
Accounts
Transactions = scenario/ risk factor hits

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Which scenarios should we
focus on initially?
 Most implementations have a phased approach
to scenario & risk factor implementation
 This is a benefit for the implementers, but mostly
for the institution
 Fewer scenarios
• More focused testing effort and shorter project plan
• Fewer alerts while being acclimated to the system
 As many risk factors as reasonable

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Which scenarios should we
focus on initially?
 First phase of scenarios should focus on areas
identified in the institution’s risk assessment
 Most of the time, these areas of greatest risk
exposure are…
• Cash (SAS10006, SAS10007)
• Wires (SAS10021, SAS10022)

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Which scenarios should be
brought in as part of a staged
approach and are out of focus
for initial implementation?
 Only the highest risk scenarios should be rolled
into the first phase
 Risk factors do not create work and provide
intelligence, adding them does not complicate
the bank’s transition the same way as adding
scenarios
 No specific scenarios are “in” or “out” from a
staged approach point of view

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What are the common
scenarios that most sites
use/avoid to cover their risk?
 The most common and successful scenarios are
the currency structuring scenarios, SAS10006 &
SAS10007
• “BSA/Structuring/Money Laundering continued to be the
leading characterization of suspicious activity filed by
depository institutions.” – FinCEN 2005
• Countries without mandatory currency transaction
reporting can still use SAS10006 to identify unusually
large cash activity

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What are the common
scenarios that most sites
use/avoid to cover their risk?
 Rapid rotation wire scenarios also common
• SAS10019, SAS10021, SAS10022
• Not as successful as 6/7, but that’s in line with the state
of the industry
 “Big stuff” scenario variations of SAS10020
• Though named “Large Incoming Wire” this scenario can
be parameterized to search for purchase or sale of cash
equivalents, large checks in or out, et al.
• Some variations meet with various success, screening
all large wires does not yield many financial criminals,
while debit card returns often find embezzlers, money
orders often point to small-scale laundering

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Commonly Used Scenarios
 SAS10006 (All) – Large Aggregate Cash Transactions
 SAS10014 (4) – Structured Withdrawals
 SAS10015 (All) – Multiple Location Usage
 SAS10018 (4) – Transactions Involving High Risk Countries
 SAS10019 (All) – Bidirectional Wires
 SAS10020 (All) – Large Incoming Wire
 SAS10021 (All) – High Velocity Funds – Wires In
 SAS10022 (All) – High Velocity Funds – Wires Out

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Can I customize the production
SAS scenarios?
 You likely will have to customize the scenarios,
particularly at larger institutions
 When custom scenario code is created, you must
rename the code something other than the default
SAS10xxx to prevent overwriting during upgrades
 Fulfilling customer needs will often require
changes to all three scenario elements
• Prep file
• Parameters
• Scenario code

Copyright © 2006, SAS Institute Inc. All rights reserved.

 How do I write a scenario?

 Each scenario is a macro, while the parameters

are the macro variables passed in during the
macro call
 Normal scenarios process a date-sorted set of
transactions that is prepared prior to the macro
call
 Writing scenarios requires manipulating this array
of transactions in a macro environment
 For guidance on how to avoid duplicate alerts,
parameter naming conventions, and other topics,
consult the included scenario code
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Can I convert a Risk Factor into
a scenario?
 Yes, with two major caveats
 Risk factors are coded to produce matches nearly
every day – checks for new activity and trigger-
based detection do not exist in risk factors
• Test for multiple days if undertaking such a conversion
to assure multiple alerts won’t be generated
 Risk factors match a significantly greater portion
of customers and accounts than do alerts
• Test for raw numbers before telling an institution such a
conversion is possible – it may be technically possible,
but not practical from other points of view

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Bayes Weights

 See scenario admin guide for full discussion

 Money Laundering Weight
• Proportion of money launderers who would match the
scenario or risk factor
• Example: ½ of SARs at your bank involve structuring on
SAS10007, set ML Bayes weight = 10
• 1/20 of SARs involve new customers, set Bayes weight
=1
• Fill in all scenario/risk factor weights in between
 Terror Finance Weight
• Same process
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Execution Probabilities

 The proportion of customers (or transactions) that

would match the scenario or risk factor during the
scoring duration
 Example
• Scoring duration = 60 calendar days
• Scenario X has 400 alerts during this period
• 50 parties have redundant alerts, leaving 300 distinct
parties responsible for the 400 alerts
• Bank has 1,000,000 customers
• Execution Probability = 300/1000000 = .0003
 Independent of ML/TF distinction
Copyright © 2006, SAS Institute Inc. All rights reserved.
 Watch List Scenarios & World-
Check
 Although we have integrated W-C’s lists into SAS
AML from an ETL point of view, W-C is NOT a
requirement for these scenarios
 When W-C data is used by SAS AML, their lists
are used to populate our Watch List tables (entity
& location)
 When W-C data is not used at an implementation
site, other data is sourced for the watch list tables
 Scenarios are agnostic regarding watch list
population via W-C or non-W-C methods

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Watchlist Scenarios

Default “watch list” scenarios supplied with

SAS Anti-Money Laundering
 Scenario 78 – Transactions involving FATF/NCCT
Countries
 Scenario 79 – PEP Identification / Maintenance
 Scenario 80 – Watch List Identification
 Scenario 82 – Terrorist Identification

Also, develop site-specific scenarios

Copyright © 2006, SAS Institute Inc. All rights reserved.

 What is fuzzy matching?

 Exact matching is very strict: either a word

matches or it doesn't. Very easy for a computer.
 Fuzzy matching is an attempt to improve the
comparision of words, names, addresses by
matching more than the exact words, names and
addresses
 Fuzzy matching techniques try to reduce words
to their core and then match other forms of the
word using match codes.

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Matching Example
Names

Different variations of same name, same

match code

Name Match Code

James D. Goodnight PHDF8B~$$$$$87B$$$

Jim Goodnight PHDF8B~$$$$$87B$$$

JAMES GOODNIGHT PHDF8B~$$$$$87B$$$

Dr. James Goodnight PHDF8B~$$$$$87B$$$

Jimmy Goodnight PHDF8B~$$$$$87B$$$

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Matching Example
Addresses
 The system standardizes the address format then builds the
match codes for comparison
 The match code for an address is a series of concatenated
match codes for street name, city, state, country, etc.
 If needed, individual component match codes of an address
match code can be compared

Address Match Code

100 NORTH CHATHAM STREET, CARY, #B~4~4$$&42942BW3Y$$$$$$Z00PY~2J$$$

NORTH CAROLINA, 27511 United States $$$$$

#B~4~4$$&42942BW3Y$$$$$$Z00PY~2J$$$
100 N. Chatham St., cary, NC, 27511 usa
$$$$$

Copyright © 2006, SAS Institute Inc. All rights reserved.

 International Matching
Considerations
 Naming conventions vary in different regions and
cultures so a global standard of match code
routines is required
 Names from foreign countries do not always
follow “given” or family name rules
 Transliterations causes spelling variations
 Address formats are different by country

Copyright © 2006, SAS Institute Inc. All rights reserved.

 International Names
Example

 Match codes are equal even if last name is spelled differently

 Usually caused by transliteration from non-Latin based
alphabet to English (e.g. from Arabic, Russian, Chinese, …)

Name Match Code

Moammar Gadafi F&88&G7$$BY$$$$
Moammar Gadafy F&88&G7$$BY$$$$
Moammar Gaddafi F&88&G7$$BY$$$$
Moammar Qadhdhafi F&88&G7$$BY$$$$

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Goal of Matching Watch Lists
 Accurately find people that are on the watch lists
 Avoid false positives because…
• Require resources to resolve
• Decreases confidence in the process
 Avoid false negatives because…
• You don’t know about them
• False sense of correctness
• Surprises and Potential penalties

Watch List
Match Non-Match
Party on Watch List Positive False Negative
Party Not on Watch List False Positive Negative

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Match Criteria
 Use multiple matching criteria to reduce false
positives
 Such as
• Address, country, state, province, city, street
• DOB
• Social Security or TIN

Copyright © 2006, SAS Institute Inc. All rights reserved.

 “Dynamic” Scenarios &
Account Analysis Dim
 FSC_ACCOUNT_ANALYSIS contains inputs to
parameters for scenarios 86-91
 Example: expected_incoming_amount is a
measure of how much money will be credited to
the account in the current month, SAS10086 looks
for accounts depositing significantly more than
this expected amount
 Process: During ETL, several months of account
profile data (and possibly KYC data) can be
brought together and analyzed for the purpose of
estimating the next month’s activity

Copyright © 2006, SAS Institute Inc. All rights reserved.

 “Dynamic” Scenarios &
Account Analysis Dim
 When real activity is much greater than the
expected values, a match is created
 86 – Deposit Amount
 87 – Withdrawal Amount
 88 – Deposit Count
 89 – Withdrawal Count
 90 – Multiple month change in any of the four
 91 – Rapid rotation above normal amounts

Copyright © 2006, SAS Institute Inc. All rights reserved.

 Questions?

Copyright © 2006, SAS Institute Inc. All rights reserved.

Copyright © 2005,
2006, SAS Institute Inc. All rights reserved. 56