Executive Summary
While most financial institutions are getting to grasps on the financial economic crime (FEC) risk exposures of their direct clients and suppliers1, FEC risk events continue to appear on a daily basis given the ever-dynamic modes of operation of FEC actors. A promising approach to accompany traditional FEC risk identification methods lies in analysing counterparties with which clients interact (transact, communicate, etc). Through an analysis on open source company registries, sanctions lists, and geographic data we learn key characteristics of known FEC risks (sanctioned entities, FEC leak scandals). Our analysis indicates that this data can be leveraged to gauge the risk of counterparties being shell companies, and for uncovering indirect exposures to sanctioned parties.
Acknowledgement
With special thanks to Miles Kellerman and Yolanda van Settten in taking the time to review early drafts of this study, and providing valuable feedback as experts on financial crime and law.
Introduction: the unknown FEC risk
Professionals in the anti money laundering (AML), terrorist financing (TF), and sanctions evasion domain are busy on a daily basis to combat different forms of financial-economic crime (FEC). FEC Risk assessments are conducted, AML Policies are produced, Scathing control reviews are written, client follow-up actions logged, and guidance documents for due diligence are stacked up. How then, is the FEC community ever so often surprised by the unknown-unknown2 Financial Crime events which are found in the news?
The answer may have something to do with the rigid nature by which most institutions attempt to address FEC problems. Measures which are used to combat FEC are often regulatory-compliance driven methods, and thus focus on availability of internal data on clients. As such, institutions attempt to minutely define the patterns of financial crime and tell systems and people to look for those exact patterns, resulting in:
- Measuring suspect behaviour by some best practises which are posted in a guidance document of a regulator. The guidance document having originally only been created by the regulator with examples, rather than strict implementation requirements3
- Going through checklists of potential risk scenarios based on regulatory (non-exhaustive) guidance examples4 once every three/five/ten years for ‘normal risk’ business relations, which lead to some great rage-bait prime-time television
- Applying overly broad FEC risk detection algorithms which lead to false-positive signals 997 out of 10005 times when looking for sanctions risks.
Pictured: Dall-E’s impression of what the first black-swan sighting in Victorian times by a European must have been like
When we are then confronted by some type of Financial Crime which is not picked up by exhaustive (compliance-driven) processes, there is a crisis event. Coined as a “black swan” event by probability theory author Nassim Nicholas Taleb6; events we did not account for and of which we did not know we were not accounting for exist, and occur much more frequently than they should given the -on-paper- excellent FEC control household. But would an additional use of external, potentially open source, data have prevented such occasions?
In this article, we illustrate that with a focus on using counterparty intelligence, strategically using open source data, and applying alternative ways to thinking about FEC, those unknown-unknowns may only be a few steps away from being known.
A history of counterparty risk information
The year is 2016, and the world is in turmoil since suddenly everyone has insight into the financial dealings of the tax-evading offshore world following the ICIJ’s Panama Papers. Two years later, we learned that the Danske Bank Estonia branch was a conduit to funnelling laundered funds through offshore shell companies such as those leaked in the Panama Papers. Then, in 2020 the 29-leaks tell us even more about how formations agents allow for the anonymization of businesses, directors, and beneficiaries as a service. And finally, in 2021 even suspicious activity reports (SARs) filed by US banks to the US regulator are leaked in the FinCEN files.
Pictured above: timeline of various (selected) leaks with relevance to the FEC domain. Size of the bubbles indicate our perceived impact of the leaked data and information to the FEC space (sources, ICIJ, and OCCRP).
These various data leaks and associated money laundering publications have told us that:
- FEC is conducted in networks of (sanctioned or suspect) persons and entities, each with their distinct roles in a scheme
- FEC actors use strawman business entities and persons, often incorporated and run by intermediaries to hide their actual beneficial owners
- Many high volume and value FEC cases are international in nature, exploiting international legislative loopholes
Most FEC professional knows about these media events and the above learnings from them. However, the lessons from these events remain largely implemented through ineffective methods. Examples include creating signals on sanctions- and post-transaction monitoring risks using lists of reference names, and threshold value levels of international transactions for specific countries. These attempts to mitigate the risks are logical, given how little is known about a counterparty (the connections of a client) to a transaction in the financial industry. Generally, the information available on a counterparty to a transaction relates to its name, its address, and some information and description of the transaction.
These ways to mitigate counterparty risks are however, problematic for three reasons: (a) Actors of financial crime adapt what they do and where they do it7, (b) rules are implemented in a rigid way (using country lists and value thresholds) and (c) a lot more can be done with data than even regulators guide, requiring a better than compliance-driven approach. Our open-source intelligence (OSINT) data analysis will provide insight on these three.
Finding another angle: using open source intelligence
To illustrate our point that valuable information on FEC risks exists in open source intelligence data on counterparties, we conduct a data-driven analysis. The goal of the analysis is to identify if we can gather risk signals on counterparties from open source data, which features the characteristics described in the data leaks section above.
We will focus our analysis on the United Kingdom, as it is featured frequently and significantly8 in tax evasion and corporate secrecy indices. A reference list of sanctioned actors will stem from the United States Office of Foreign Affairs and Conduct (OFAC) department, since its programs have significant global reach and impact on finance. The data sources employed are described in table 1 below.
Data Usage | Publisher | description of data used |
---|---|---|
Sanctions lists9 | US OFAC | Lists of Specially Designated Nationals and Blocked Persons as published by the US Treasury’s OFAC department, and accompanying supporting data |
Company Registry10 | GOV UK Companies house | Detailed company registry data of the United Kingdom, published as a monthly snapshot of data |
Map information | Openstreetmap | Detailed data on addresses, buildings, businesses and geographic information from public contributions |
Analysis of open source data
Given the type of risk we are interested in, we center our analysis on address incorporation data. This is also one of the few data elements on counterparties which tends to be clear from a financial transaction (e.g. various SWIFT and SEPA direct transactions types both feature this data on counterparties), or from other documentation on counterparties (e.g. trade documentation, invoices, etc.).
On the version of the sanctions list of OFAC employed in our analysis, we find 14.500 Specially Designated Nationals (SDNs; either persons or businesses), which are associated with 19.744 addresses. Of these, 189 are located in the United Kingdom and relate to a business entity. Using our text matching algorithms (e.g. leveraging functions from the FuzzyWuzzy project), we find 70 of these addresses in the UK Company registry on which a grand total of 43.512 active business registrations are found11. Clearly, we are looking at addresses with some form of giant business complex, a virtual office space provider12, a company formations business13 (analogous to the operations published in the #29 leaks described above), or some other business address service provider. What we do know, is that the due-diligence process of the office provider is not considering international sanctions programs.
Gauging the probability that these addresses contain legitimate (giant) business complexes is possible using open source data. Using OpenStreetMap we can find the dimensions and features of buildings on addresses through the map download function which contains metadata on building height, number of floors, and dimension features. We can thus approximate if the number of companies registered on an address is plausible given the dimensions of the building on the address. Using analysis in Python14 we thus find that 95% of these 43.512 companies are registered on an address which would give them significantly less than 1m2 to operate their business out of.15
Pictured above: outcome of the analysis of combining the data sources from Table 1
Given that we focus our analysis on identifying potential risks of counterparties using their affiliation with intermediary business service providers (with services analogous to the various data incidents described above), we analyse the number of UK addresses which feature registrations of more than 250 active UK businesses. In our datasets, there are over a thousand such addresses. Again using OpenStreetMap, we randomly select 1016 of these addresses featuring a total 42.581 businesses to determine how plausible the notion of these being large business complexes may be. We find that:
- 84% of businesses located on 2 out of these 10 addresses would again have less than 1m2 to operate in
- Another 7,5% of the businesses (again another 2 out of 10 addresses) would have approximately 5m² to operate out in, which could be feasible dependent on the economic sector the business is in (i.e. plausible for small scale office-based work, less probable for aluminium smelting)
- Manual analysis of the remaining 6 addresses leads to the conclusion that only 3 of the locations appears plausibly large enough to physically house and operate the number of businesses incorporated therein. For some of the other 3, it is immediately clear from services advertised online on the business address that intermediary business service providers are present on them.
Hence, using open source information on addresses of counterparties as a starting point has proven interesting to pursue to gauge counterparty risk. Additional analyses using further (open) sources should be considered to come to a conclusion on how to proceed with the counterparty.
Pictured below: example data (featuring the Buckingham Palace building in London – not in the analysis scope or part of the highlighted outcomes) on building features available from OpenStreetMap. Details can be extracted from the map using the download function, and analysed in Python to infer building size.
Why such open source insights matter
The US OFAC provides guidance on how to use the address information they provide on sanctioned parties. It is to be used as a reference following the generation of a sanctions screening alert from a sanctions screening system. Thus, it is not a basis for generating risk signals by and of itself: that part is reserved for matching sanctioned entity names and aliases (the 997/1000 false positive risk signal generating process referenced in the introduction).
Conversely, this analysis has shown that addresses can prove pivotal in learning of counterparty risk signals, given what can be learned from them using open source information. Through these illustrative methods and matching together these open-source datasets, we find indications of numerous UK company service providers servicing clients whose addresses are associated with SDNs, or those whose patterns of business registrations are highly similar to those locations where SDNs are located. The associated risks for a financial institution could be:
- Having a company service provider as a client, which would feature the risk of indirect third-party sanctions exposure through the clients of a client
- Facilitating transactions or communications between a client and a counterparty, located on an address which display a likelihood of the counterparty not being a legitimate business (i.e. a shell company)
At this point, critical readers will think: “if this is a UK problem then I can just increase the scrutiny I place on relations with the UK and be done with this”. However, our analysis finds that similar modes of operation occur all over the European Union. For example, in the Netherlands there are also several addresses associated with OFAC sanctioned entities. These addresses in turn feature a combined total of 1.499 registered active entities, some actively including the active US OFAC sanctioned entities themselves17. With that in mind, one can estimate the level of due diligence the ultimate owner of such an address is conducting on its business registrations: likely less than a regulated institution’s risk appetite.
A note on limitations
Using open source information goes hand-in-hand with accepting certain limitations, in the context presented especially with respect to timeliness of data, data verification challenges, and potential biases given the reliance on work of others. It is thus hard to argue that such open sources can replace or negate existing FEC risk signal generation processes. Be that as it may, when used as an additional source of FEC risk signals on top of existing FEC risk processes which unwittingly fail to generate equivalent signals, using open source information can prove insightful. And while additional signals indeed add to operational burdens from FEC risk obligations, using explainable models to optimize operations processes can balance this workload.
Concluding
With this study to gauge the counterparty risk, we have shown that additional FEC risk insights can be gained from open source information. Open source data is available in many shapes and forms, and while this analysis has focused on using counterparty address as a FEC risk indicator, many more avenues of inquiry can be valuable to uncover FEC risks. For instance, Bellingcat recently published an approach to use open source data on internet traffic routing tools to investigate the various ties a sanctioned Russian bank has to other parties, businesses, and financial institutions, including in the Netherlands and Germany.
Thus, making use of available open data to gauge FEC risks of counterparties outside the traditional internal data gathering processes could indeed make the occurrence of black swan risk events a lot less frequent.
Interested in how to use open source data to gauge counterparty risks in your organization?
Footnotes
- As described in DNB’s ‘herstel naar balans‘ document ↩︎
- Refers to a quote from former US Secretary of Defence Donald Rumsfeld (2002): “But there are also unknown unknowns—the ones we don’t know we don’t know.” This quote has been appropriated by risk management, and is widely used by risk management practitioners. ↩︎
- For instance, DNB’s ‘herstel naar balans‘ document on the evolution of the FEC risks at financial institutions provides broad stroke insights for financial institutions ↩︎
- For example, AFM’s guidance for the Wwft and SW has a non-exhaustive list of potential risk factors ‘entities may consider’ on page 10, which means obliged entities will need to come up with their own list including (most of) these factors ↩︎
- As found by EY in their 2021 survey, on page 4 ↩︎
- Nassim Taleb, 2007, see Wikipedia for a summary on his work ↩︎
- For example: One of the dodgiest addresses in the world, 175 Darkes Lane in Potter’s bar, used to hold 660 shell companies on a single small floor including various sanctioned parties. Four years later (March 2024) however, most of these have relocated leaving only 9 active ones according to UK Companies House data ↩︎
- See also: Dutch Public Prosecutor, 2024, Annual report, p25, “Het VK staat bekend als dé grote (wereld)speler in het faciliteren van criminele geldstromen” ↩︎
- Data retrieved on February 26th, 2024 ↩︎
- Data retrieved on February 26th, 2024 ↩︎
- There are 121 unique addressees in the OFAC ADD list used in this analysis. Furthermore, a total of 51 UK addresses found in the OFAC ADD list either do not contain an active registration according to the Companies House data, or they are too generically described in the OFAC ADD list to match them to Companies House data. This latter option is the case when, for example, the OFAC ADD list contains only the name of a city as the address. ↩︎
- Whilst virtual office space providers provide a useful service to many companies, providing these services to large volumes of businesses can result in a high due-diligence burden on clients which is not required or enforced by a regulator. Hence, such virtual office providers have been shown to potentially contain high potential levels of FEC risk in the Netherlands. See e.g. this 2024 article by Follow the Money ↩︎
- Helpfully, the UK Companies house website, along with a register of formations company websites, states that: “agents can offer you professional expert advice and assistance to register (incorporate) your company and provide: guidance on the type of company that best suits your needs, assistance naming your company, including those that require permission, ongoing company secretarial support, registered office, address services, help setting up a business bank account”. The OCCRP lists the historical FEC risks associated with these businesses: “The process is quick, easy, and remarkably cheap. Although many turn to formation agents for legitimate business reasons, illicit actors might seek out their services to dodge taxes, hide their ownership of high-value assets, or squirrel away dirty money.” ↩︎
- Using methods based on the described described in the Pyosmium library Readme: https://github.com/osmcode/pyosmium/blob/master/README.md ↩︎
- Our analysis of the mapping data pertains to the OFAC SDN related addresses with the most registered active businesses only. ↩︎
- This number is deliberately kept low in order not to put undue data export pressure on the Open Streetmap systems. Hence, this conclusion is for illustrative purposes only. ↩︎
- As per the NL Chamber of Commerce website on may 7th 2024, https://www.kvk.nl/zoeken/handelsregister/ ↩︎