Legal Restitution as a Financial Intelligence Methodology


    Victims of a crime, as individuals or as corporate entities, are legally entitled to restitution. The Mandatory Restitution Act of 19961 established procedures for determining the amount of restitution to which a victim may be entitled. Banks are often a victim of a variety of crimes such as automatic clearing house fraud, check kiting, ATM deposit fraud, mobile deposit fraud, quick change artist, bank robbery, etc. Due to the geographic footprint of a bank, the local branch office will file a report with local law enforcement (LE), and a copy of that report might go to the Bank Secrecy Act/fraud programs of the bank. Generally, once the report is filed most banks will move on and write off the loss. This is where the fraud/antimoney laundering program (FRAML) can make a difference.

    The standard FRAML program most banks use involves a transaction monitoring system to identify a series of thresholds, which create alerts. An analyst will review the alerts and elevate the predicated alerts to a case. A more in-depth review is completed using a variety of mandatory checks and if there is enough information of irregularity, a suspicious activity report (SAR) is filed. The client will be monitored as part of the enhanced due diligence (EDD) program. If enough SARs are filed on a client, then the account may be closed down. A secondary event process is usually when an LE entity submits a subpoena or a request for supporting documents and the bank will elevate the client’s risk score and create new SARs. What banks are missing is the merging of these two separate events within the bank for the creation of actionable intelligence.

    Banks are creating financial intelligence units (FIUs) as part of a process to fine-tune the rules set used by the anti-money laundering (AML) monitoring system. Yet they often ignore the end result of the AML process—LE action. A SAR is filed, an LE entity reads it, opens a case, subpoenas the information from the bank and eventually the case goes to plea bargain/trial/convictions. The branch incidents of fraud immediately create an LE report—with an eventual arrest/conviction—often in a very short period of time. In both cases, if the bank is a victim of a crime, then it is eligible for compensation through court order restitution. This is the key to the restitution intelligence process. The FRAML program of the bank needs to work with the legal department to track the victim/witness legal process because it is usually served on the legal department. The court needs to know how much loss was experienced by the bank/victim in order to be adequately compensated. This entire process falls into the neat and tidy intelligence cycle.

    The intelligence process

    One of the key elements to the intelligence process is the intelligence cycle. According to the graphic on page 28, the fraud incident itself would occur at stage two of the intelligence cycle: collection. Why collection? Raw intelligence is being submitted from a trusted source—LE. It is a statement of the facts as can best be determined by the investigating entity at that time of:

    1. What happened?
    2. When did it happen?
    3. Where did it happen?
    4. Who might have done it?
    5. Why did it happen?

    Each of the five elements of the police report should be analyzed as though it were an intelligence information report (IIR), which is the standard report of the intelligence world. Keep in mind the IIR is not finalized intelligence, but the reporting of raw data or information. The FRAML and FIU should gather the individual IIR/ police report and integrate the information with all of the other IIR/police reports. This is the process area of the intelligence cycle. This step flows directly into the analysis phase of the cycle. The FIU will then conduct analysis based on a variety of issues of concern to the bank. That analysis should lead to a dissemination of an information document to different levels of the bank to offset losses from this type of activity in the future, i.e., the planning/direction phase of the cycle. The FRAML program can review the incident and modify the rules set to identify the fraudulent activity more effectively, which goes back to the collections portion of the cycle. Keep in mind the intelligence cycle has five basic areas and each area is dependent on the others. It is a continuous cycle and each step feeds off the other steps in the cycle.

    Integrating information into actionable intelligence

    The key to the criminal activity/restitution process is that the information is directly related to illegal activity, versus SAR reporting wherein the bank is suspicious that something illegal is happening. If there is a conviction/order of restitution, the bank will eventually receive checks from the Department of Corrections.

    Arkaxhiu is also an active Association of Certified Anti-Money Laundering Specialists (ACAMS) member and she participates as a speaker and trainer for different ACAMS initiatives.

    Oftentimes it is not a large amount of money, but it is significant for the FRAML program. Court proceedings are open source/public record. In the case of a plea bargain, the subject of the investigation will have to allocute (tell the court the who/what/why/when/where of the crime) in order for the judge to impose a sentence/restitution order. In the case of a conviction, the court records will have testimony of witnesses that will lay out the crime and why the subject was the perpetrator of the crime. All of these documents/ proceedings are valuable intelligence for fine-tuning the FRAML process.

    Here is an example of a common fraud scheme. A bank branch finds a skimmer on one of its ATM machines, leading to a significant number of compromised accounts. The bank issues new cards to its affected customers and files a report with the appropriate federal/state/local LE entity. The report is forwarded to the FRAML program, and the subsequent tracking of reports indicate that it is one of five different branches of a bank where a skimmer was placed on the ATM machine within several days of each other. The FRAML program liaisons with LE as the case is being consolidated into a federal case. The loss at the corporate bank level is over $100,000. As the fraud officer begins exchanging information with LE, the fraud officer learns that all of the ATMs that were hit did not have adequate camera coverage. Working with the legal department, the bank has completed the victim/ witness forms and requested appropriate restitution. The short-term solution was placing cameras for better protection of the branch from this type of fraud. As the case develops, arrests are made and the perpetrators agree to cooperate with LE in order to reduce the jail sentence. As part of the plea agreement, the perpetrators tell LE that the targeted bank’s inadequate security at the ATM machines was common knowledge within their community and on the “dark web.”

    It is important to note that a FRAML program that does not track/follow the legal process through to its conclusion will miss all of the intelligence that can come from the plea bargain, conviction and restitution process. The example above covers ATMs with vulnerabilities, the possibility of potentially damaging information about the bank on the “dark web,” discussion with the appropriate LE agencies to learn more about future potential crimes, and completing paperwork for victim/witness assistance to ensure some recovery of lost funds through restitution. A secondary element is the need to fully integrate the FRAML program with the legal department and deposit/branch operations in order to identify when restitution has been ordered and when money is being received. Oftentimes a bank will receive restitution payments and have no idea why the money is coming into the bank. The bank will try to identify where the loss was written off from the original crime in order to balance the books in the long run. If the FRAML program is notified about the checks, they can liaison with LE and the court system to learn what happened and integrate the information into the intelligence cycle.

    Intelligence profit from fraud losses

    Remember, the restitution check is a critical event within the FRAML process. The bank was a victim of a crime, so a cutting-edge FRAML program will see what it can learn from the incident to offset risk and future losses. When the checks are received at the bank, there is credible, actionable information that can be analyzed to create intelligence assisting in offsetting risk and future loss of profit while being completed in a cost-effective manner. In addition, the FRAML program becomes less of a cost center and more of a profit protection program. Imagine getting back a percentage (large or small) of money lost due to criminal activity through court order restitution, developing a program that coordinates deposit operations/branch activity/legal areas of the bank, and improving the alert/ case/SAR filing program at the same time without a real increase in operating budget. That would be a good investment of time and money.

    William Dayhoff, CAMS, CFE, MBA, retired special agent and designated FBI national intelligence officer, Jacksonville, FL, USA,

    1. “Mandatory Restitution Act of 1996,” The United States Department of Justice, https:// legacy/2006/09/26/restitut.pdf