icourts Investigates Anti-Money Laundering Breaches at International Bank
How did they do it?
- Used Early Case Assessment and Analytics to cull and analyze 75 million pages
- Built profiles of key players and prepped for interviews using Case Dynamics
- Identified a pattern of non-compliant behavior among senior compliance managers
A whistleblower contacted a financial regulator concerned about anti-money laundering (AML) breaches at a large international bank. After interviewing the whistleblower, the regulator launched an investigation and issued the bank a notice to produce, alleging AML breaches involving $50 million in transactions.
In response to the notice, the bank provided the regulators with a hard drive containing 0.5 terabytes of data—approximately 75 million pages, including millions of communications from across the entire organization.
Phase 1: Cull Documents & Preserve Evidence
The icourts analysts got to work, using Early Case Assessment to defensibly remove duplicate documents from the review set. They also ran email threading over the data set to eliminate emails from the same chain with duplicate content.
Although the data set contained many duplicate documents, the regulators wanted to preserve the evidence—culling at the ingestion stage was not an option. To avoid pushing the duplicate data into the review workspace, icourts ran a script over the emails to perform an “artificial deduplication.” This preserved the raw data while tagging emails as “master,” “unique,” or “duplicate.” The analysts were then able to push documents tagged “master” and “unique” to their RelativityOne review workspace and analyze the most applicable documents.
The duplicate documents were retained in a RelativityOne repository workspace—which is billed at one-third of the cost—to maintain evidential integrity.
By performing a structured early case assessment, the regulator saved both time and money from the outset by only hosting and reviewing the necessary documents.
Phase 2: Set the Review Strategy
Once the refined documents were in the review workspace, the investigators wanted to establish what types of data they had and which concepts and words were connected.
Using the information provided by the whistleblower, the icourts analysts ran a narrow search term report and batched those documents out for review.
However, the investigators did not want to rely solely on search terms as they might miss additional relevant information suggesting other nefarious activity. So, icourts used concept searching and clustering in Analytics to provide a visual representation of all the conceptually similar documents and connections.
Using this strategy, the investigators were able to identify several documents relating to tax filings but very few relating to AML policy, procedures, and actions. They identified a number of documents that were irrelevant and could be excluded, such as emails related to “Friday Drinks” and documents about HR onboarding.
The icourts analysts also overlayed the documents coded as relevant from the initial search-term review to determine the richness of the set. Heat maps across the clustered visualizations showed how conceptually similar documents were to relevant documents.
Phase 3: Find the Key Players
In addition to reviewing documents, the investigators needed a high-level overview of the organizational structure and the key actors in the compliance team.
Using keyword searches, icourts found the organizational chart clearly showing the names, roles, and titles of everyone on the compliance team. This was checked in combination with policies, procedures, and training throughout the wider organization. They then used a few different RelativityOne features to help analyze people and their communications:
- Name normalization to identify the aliases of each member of the compliance team. RelativityOne automatically groups multiple aliases into a single entity, making it easier to follow every communication to and from the compliance team. For example, any communication tied to “Jim”—regardless of whether it was from a different email address or display convention—was linked and searchable under the entity filters.
- Communication analysis, which showed the investigators that one person was clearly at the center of all related communications.
- Email threading to visualize the flow of communication. Duplicate content and attachments from the same email chain were grouped, so the investigators only needed to check the top chain or middle chains for new information. Email threading also highlighted when the conversation branched off for a side chat, which was easily checked for suspicious activity.
By adopting a holistic approach and integrating and overlaying several Analytics features, the team was able to answer integral questions in the investigation quickly:
- When suspicious behavior prompted a red flag, who reported it?
- Whom was it escalated to?
- At what stage was it referred to the police for investigation?
Phase 4: Analyze Suspicious Client Accounts
The whistleblower had provided a series of client accounts with suspected involvement in AML activities. RelativityOne identified all the documents associated with those client names or client IDs.
The icourts analysts then set up Case Dynamics and only batched out the inclusive emails for the investigators to review with a chronology of events.
The chronological organization allowed the investigators to quickly answer questions vital to the investigation:
- When onboarding new clients, did the bank open accounts despite missing vital information such as proof of income?
- If information was missing, did they follow the procedure and contact the client within the mandated timeframe?
- When a client moved money, did large transactions trigger a red flag?
- What action was taken after that red flag? Was it escalated? Was it referred to the police?
Using RelativityOne’s short message review feature, the investigators could follow a timeline of internal conversations across instant messaging and emails to establish who did what concerning these suspicious client accounts.
Case Dynamics enabled the investigators to build out the profiles of key players by adding other case notes such as job titles, connections, and elements of the story (e.g., “defendant argued with Sue from finance in June”). The investigators also used Case Dynamics to plan the next steps in the investigation and whom to interview at the bank.
Phase 5: Prep for Interviews
Once the investigators had identified the key players to interview, the icourts analysts added a new coding field so the investigators could indicate which key documents to refer to during the interview (e.g., “question 2 for Sue”).
The documents tagged for the interview were batched and referred to in the system during the interview, ensuring an auditable chain of evidence.
Additionally, RelativtyOne’s video transcript feature allowed the investigators to watch the replay of the interviews while the words were highlighted in the transcript in real-time with the audio. The investigators were able to annotate directly onto the transcript, with the option to color-code, add notes, and link to the relevant document, all within Case Dynamics.
The Prosecution & Looking to the Future
Through analyzing activity on several key accounts, the investigation team was able to identify a pattern of non-compliant behavior among senior compliance managers at the bank.
Red flags of suspicious behaviors were being escalated through to senior levels of the compliance team, where activity was being approved and not referred on to the police.
The investigators were able to follow the money after it was moved into a foreign bank and obtain the information necessary to prosecute the domestically registered and regulated bank.
Today, the analysts at icourts continue to use the method of real-world training exercises in each specific matter to technically upskill the regulator’s investigation team.
The blended approach of project-based support with external advisory and training ensures the regulator continues to extract the most value out of RelativityOne.