Strengthening Transaction Monitoring through Unusual Sign-In Detection

Strengthening Transaction Monitoring through Unusual Sign-In Detection

Advanced Anti-Money Laundering (AML) software is a big step forward for regulated entities such as Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) in taking a Risk-Based Approach (RBA) when onboarding a client as well as for ongoing monitoring for transactions and business relationship.

Transaction Monitoring software provides a combination of unusual sign-in alerts to help regulated entities identify anomalies and safeguard themselves against ML/TF/PF risks. Types of suspicious sign-in alerts that AML software must be configured to generate are as follows:

Geolocation Discrepancy Alert

AML software with transaction monitoring features can help businesses detect transaction-related red flags by sending the software user a geolocation discrepancy alert when any deviation from the usual location of customer login is observed.

Geolocation discrepancy alerts can help the regulated entities in detecting ML/TF/PF typologies such as unusual transactions between distant locations, rapid pass-through of funds between accounts belonging to high-risk jurisdictions or simultaneous login from multiple locations or countries unrelated and unusual for the customer profile.

Multiple Failed Login Attempts Alert

Another alert that helps monitor unusual transaction patterns is a multiple failed login attempt alert. This helps the regulated entities in taking timely action by AML software alerting them of potentially suspicious behaviour. Multiple failed login attempts within a short period or a series of failed attempts can be a sign of malicious activity, as criminals can use such tactics to gain unauthorised access to legitimate accounts, putting customer data privacy at risk.

Transaction Monitoring software records the number of failed login attempts for every account and analyses their frequency over a specific time period. It further checks if any bots or such tools are used to login to generate an alert, thus preventing misuse or access by a third party or misuse of a customer account for mulling, which is a money laundering typology.

Unusual Time to Transact Alert

AML software with ongoing and transaction monitoring functionalities can analyse the client’s regular transaction pattern. If there are any deviations in terms of date and time, for instance, if there are multiple transactions late in the night or on weekends or at times when the client is typically inactive, then such transactions are alerted. AML software backed by machine learning and behavioural analytics can also be customised to flag alerts if the transactions do not occur within a set period.

Device or IP Address Mismatch Alerts

Clients often use multiple devices, such as their mobile phones and work or personal laptops/desktops, for transactions and during remote or non-face-to-face onboarding, usually known as the Know Your Customer (KYC) or reKYC process. However, if there is client activity from multiple unknown, unusual or new devices within a short period or if the client’s device or IP address location is geographically distinct from the geographical data provided by the client, indicating the use of proxy or VPN, then such transactions can be indicative red-flags. AML software can also check for cookie matches to check for identifying fraudulent patterns.

AML software supported by behavioural biometrics can distinguish between a client’s suggested location and their actual location using a device’s unique identifiers like International Mobile Equipment Identity (IMEI) or MAC address and track IP addresses based on geolocation databases.

AML software can identify such unusual sign-ins and generate notifications of such device or IP address mismatch, enabling the compliance team of the regulated entities in taking up further investigation.

Simultaneous Login from Different Locations Alert

It is not unusual for a client to log in from different locations, such as their workplace and its branch offices or from the comfort of their home or while on vacation. However, it is highly unusual if a single customer account is attempted to log in or is logged in successfully, not just from one of the usual locations but logged in simultaneously from different locations. Such an event might be indicative of involvement in illegal activities leading to money laundering, terrorism financing or proliferation financing.

Unified AML software can be calibrated to generate notifications of such seemingly suspicious login attempts, enabling the regulated entities to file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) in a timely manner through the goAML portal.

Suspicious VPN or Proxy Usage Alert

The transaction monitoring software can verify IP addresses against known proxy or VPN services with the help of specialised tools and libraries designed to detect proxies and VPNs.

Money launderers and criminals resort to the use of VPNs or proxies to hide their real location to facilitate transactions to and from jurisdictions that are usually on sanctions watchlists or to simply mask their exact location and whereabouts to prevent being detected by authorities. Unified AML solutions that can detect the use of VPNs and proxies should ideally be used by the regulated entities as notifications of the use of VPN, anonymiser services (for crypto or virtual asset transactions), or proxy by any customer can be received immediately for further investigative and reporting purposes.

High-Frequency Login Attempts Alert

If a customer attempts to login more frequently than their usual pattern, it is a behavioural red flag, irrespective of whether the transaction is occurring with every login. AML software can be configured to generate alerts when high-frequency login attempts are made. This enables the AML compliance team to look into the business relationship and take necessary steps if required.

Dormant Account Access Alert

The sudden use, re-activation, or login of a dormant customer account is a critical ML/PF/TF red flag that can be detected through transaction monitoring. There could be a possibility that the real user of such a dormant account was an elderly person who is now deceased and the dormant account was reactivated by some criminals who attempted identity theft to carry out transfer of funds through such account. Sudden re-activation of dormant accounts is a type of unusual sign-in and customer behaviour and alert of such dormant account access enables regulated entities to implement necessary AML controls.

Access from High-Risk Jurisdiction Alert

If and when a customer attempts to login or transact through their account from a high-risk country, this event might require the following:

  • Regulatory Reporting
  • Enhanced Due Diligence
  • Further Investigation, or
  • Termination of Business Relationships with such customers in some cases.

High-risk jurisdiction alerts from AML software would facilitate regulated entities in performing their AML compliance requirements in a better manner.

Conclusion

During the ongoing monitoring process, unusual spikes in transactions or client activity in a dormant or low-activity account or suspicious activities such as round tripping of funds or multiple login attempts can be a concerning sign.

AML software depends on pattern recognition models and can be integrated with other systems, such as customer relationship management (CRM) systems or fraud prevention tools, to generate a combined analysis of any suspicious account activity. Regulated entities can refer to our blog Best Practices for Customising AML Software Notifications to adopt a risk-based approach towards tailoring the use of AML software for their specific business needs.

Check out our Case Study on: Implementing Cutting-Edge AML Software in the DNFBP Sector to form a better understanding of role of AML software in AML compliance.

Related Posts