An Ultimate Guide To Investigating Suspicious Transactions

An Ultimate Guide To Investigating Suspicious Transactions

RapidAML Team

2024-06-18

Table of Contents

The regulated entities in UAE are mandated to report all suspicious activities and transactions with the FIU’s goAML portal. It’s important for businesses to identify and report such suspicious transactions on a timely basis and report them without any delay to counter money laundering and terrorist financing. Here is an ultimate guide to investigating suspicious transactions.

What Is a Suspicious Transaction

Any transaction with or routed through a regulated entity that indicates potential involvement or element of Money Laundering, Terrorism Financing, and Proliferation Financing (ML, FT, and PF) activities either directly or indirectly is known as a suspicious transaction.

According to the Central Bank of UAE (CBUAE) and in alignment with the Anti-Money Laundering and Counter Financing of Terrorism Laws in UAE, a transaction, whether attempted or concluded or customer funds can be referred to as a suspicious transaction for which the regulated entity has reasonable grounds to suspect that the said transaction could potentially be:

  • Proceeds of crime, i.e., originating from illegal sources such as predicate offences for funding terrorist activities or laundering funds
  • Related to money laundering or terrorism financing
  • Used for activity related to money laundering, terrorism financing, or any related crimes.

A suspicious transaction is not necessarily a transaction that has been concluded. All transactions, be it ongoing, proposed, or executed in the past, irrespective of their completion stage, when found during review or assessment that there exists reasonable ground for suspicion, can be interpreted and must be reported as a suspicious transaction through the goAML portal.

What Does the Term “Reasonable Grounds” Mean?

Reasonable grounds refer to considering the entire situation as a whole with all the facts and evidence available to arrive at a conclusion or decision that any reasonable person would. A reasonable person, also known as a prudent person, is a person who exhibits skill, competence, care, and judgment that aligns with any average person in a society.

It is important to note that regulated entities need not obtain or collect and verify evidence to support filing a suspicious transaction report, as having reasonable grounds to suspect involvement of illicit proceeds through any of the abovementioned indicators and relevant requirements is sufficient.

How Does a Suspicious Transaction Differ from a Routine Business Transaction?

Routine business transactions and suspicious transactions may, at first glance, look alike. However, they vary distinctly when looked at with a scrutinising keen eye that usually a competent transaction monitoring analyst, risk analyst, AML Compliance Officer (CO), or Money Laundering Reporting Officer (MLRO) possesses.

A suspicious transaction differs from routine business transactions in many ways, such as:

  • A routine business transaction would always have a legitimate business rationale, which might be vague, non-aligned, fake, or absent in case of suspicious transactions.
  • A routine business transaction involving virtual assets would have clear, precise details of originator and beneficiary accounts, whereas clear details are missing in suspicious transactions.
  • A routine business transaction will have business activity consistent with the customer profile and their funds or wealth, whereas in a suspicious transaction, the transaction volume, frequency, and pattern will not be in alignment with the customer details collected during CDD and type of risk rating assigned because of customer risk assessment exercise.
  • A routine business transaction usually involves entities that have clear information pertaining to ultimate beneficial owners (UBOs) and have transaction nexus or business ownership structure that can be understood and legally justified whereas a suspicious transaction would normally involve entities that have no clear information on UBO’s, unclear business ownership structures, use of shell entities or nominee directors to conceal true identity and purpose of the transaction.
  • A routine business transaction usually has patterns of transaction amounts exceeding threshold amounts requiring filing or reporting to regulatory authorities such as designated transactions; however, suspicious transactions have a pattern of always being under reporting threshold amounts, indicating structuring patterns. However, each case must be analysed properly before arriving at any conclusion by a transaction monitoring analyst.
  • A routine business transaction takes place among entities and persons in alignment with their actual line of business, but a suspicious transaction displays anomalies like transactions between an agriculture produce exporter and a video game component manufacturer.

The list of differences among routine business transactions and suspicious transactions indicating potential involvement of ML, FT, and PF activities can stretch quite far. However, what can be summarised as key points of distinction between suspicious and routine transactions is the said transaction’s alignment with the customer’s risk profile and rating assigned. For a suspicious transaction, the nature of the transaction would be inconsistent with the customer’s financial standing and their usual or expected pattern of conducting business.

Red Flags and Typologies

Business to business and sector to sector, red flags and typologies of suspicious transactions differ. Regulated entities must take into consideration and include in their AML/CFT policies and procedures a list of commonly faced red flags and typologies pertaining to their specific business derived from well-crafted Enterprise-Wide Risk Assessment (EWRA). Here’s a list of a few generalised red flags or typologies of suspicious transactions in UAE:

  • Transactions to, from, or routed through countries with weak AML/CFT laws or countries that are blacklisted or greylisted by the Financial Action Task Force (FATF) due to significant deficiency in their AML regime or open state support to TF and PF activities.
  • Transactions to, from and through customer accounts that are inconsistent with details obtained during their CDD and resulting customer profile.
  • Transactions for which Sources of Funds (SoF) and Sources of Wealth (SoW) cannot be justified or are in stark contrast with customer profile.
  • Transactions to, from and through bank accounts that are:
    • In high volume of cash in small denominations
    • In high-risk countries which are tax havens with non-existent extradition treaties
    • In offshore jurisdictions lacking economic justification
    • Having multiple depositors or withdrawers with inconsistent and unjustified locations.
  • Transactions involving the purchase or sale of precious metals and stones without economic justification.
  • Transactions with or through entities that have complex ownership structures where UBOs cannot be identified.
  • Transactions involving unjustified use of the power of attorney, agents, or legal representatives to mask the identities of UBOs and the true purpose of transactions.
  • Transactions involving manipulation of invoices, export/import documents, inadequate information about port of origin and port of destination, and valuation of goods indicative of trade-based money laundering.
  • Transactions involving electronic transfer of funds or payments or deposits through virtual assets without adequate originator and beneficiary account details.
  • Transactions indicating the misuse of the account or customer credentials as a part of the money mule network.
  • Transactions indicating elements of structuring, smurfing, or layering.
  • Transactions that trigger the regulated entity’s internal reporting or enhanced due diligence parameters as set out in the regulated entity’s AML/CFT policies and procedures for identifying and reporting suspicious transactions based on its customised EWRA.
  • Transactions, to, from, or routed through individuals or entities on the sanctions or designated persons lists.

Examples of Suspicious Transactions

Some examples of suspicious transactions that regulated entities must be aware of are as follows:

  • A transaction is considered suspicious when it is significantly inconsistent with the customer’s previous or past business style or transactional behaviour, for example, a significant difference in the size of orders they place or frequency at which they conduct business with the regulated entity.
  • A transaction is considered suspicious when the customer insists on the urgency of executing a transaction in cash of small denominations, disregarding the price, quality or specifications of a service or a product.
  • A transaction is considered suspicious when transaction volume or amount might be unusual or inconsistent with the type of services or products the regulated entity offers to its customers.
  • A transaction is considered suspicious when cash is involved and identifying the source of funds is difficult, such as large amounts of cash deposits or bank statements showing cash withdrawal where it is difficult to establish a nexus between cash and bank statements of the customer.
  • A transaction is considered as suspicious when third-party funding is utilised by a customer to execute a transaction, and it is difficult to understand the reason or rationale behind the involvement of third party in the transaction. For instance, when funds are disbursed by a third party or declared as a loan or gift to the customer without any evidence.

Indicators of Suspicious Transactions

The suspicious nature of a transaction or fund can be interpreted or indicated by comparing or monitoring customer profile indicators such as:

  • Behavior patterns
  • Transactional patterns and indicators
  • Customer information collected during Customer Due Diligence (CDD) processes such as
    • Know Your Customer (KYC)
    • Sanctions Screening
    • Adverse Media and Politically Exposed Person (PEP) Scan
      across parameters listed as under:

Indicators of Suspicious Transactions

Abnormal Transaction Size: The size or volume of the transaction is found to be abnormal or unusual when compared with the customer information collected during CDD and risk rating assigned during ML/FT and PF customer risk assessment.

Abnormal Transaction Frequency: The frequency at which the customer conducts transactions with a regulated entity deviates or differs from their past transaction frequency and is inconsistent with the customer profile.

Suspicious Remote Location: The location from which the customer usually conducts remote transactions is changing frequently or indicates that the location is a grey-listed or blacklisted country or jurisdiction infamous for illicit activities. The location details of a transaction are generally tracked through transaction monitoring software which tracks the IP address and provides geolocation details of a transaction conducted.

Complex Transaction: The transaction shows elements of unnecessary or legally unjustifiable complexity that involves unknown third parties, shell companies, complex ownership structures, or is routed to and from multiple bank accounts without justifiable cause with the purpose of layering and structuring to separate illicit proceeds from predicate offence from which it was generated.

Anonymous Transaction: A major indicator that must arouse suspicion in the minds of the transaction analysts and other AML compliance personnel of the regulated entity is the anonymity factor involved with any transaction where the customer purposefully disguises UBO information or uses virtual assets such as cryptocurrency to transact where the originator and the beneficiary account details can be disguised. The anonymity factor might be indicative of a deeper underlying element of customer or UBOs of legal entity customers being sanctioned or PEPs or having materially significant and relevant adverse media against them.

Unusual Patterns: Any transaction that deviates from the usual transaction pattern of a customer is said to be an unusual transaction. An unusual pattern may indicate the involvement of ML/FT or PF elements. It is equally important to note that not all unusual transactions can be considered suspicious transactions as per the AML/CFT standards, and regulated entities must consider each transaction individually before classifying or categorising such transactions as suspicious transactions.

Setting up an Investigation Framework for Suspicious Transactions

Regulated entities, in order to curb ML/FT and PF risks, must set an internal investigation framework as a part of their AML/CFT and CPF policies, procedures, and controls where they outline the internal governance structure responsible for identifying, investigating, internally reporting and reporting to regulatory authorities about the suspicious transactions through the use of relevant control measures such as use of software and equipping personnel with adequate knowledge as to their individual roles and responsibilities surrounding suspicious transaction identification, investigation and reporting. The investigation framework for mitigating suspicious transaction risk consists of the following elements:

Setting up an Investigation Framework for Suspicious Transactions

Policies and Procedures: The AML policies and procedures of a regulated entity must outline how the regulated entity and its personnel shall deal with situations where they come across a suspicious transaction. The AML policy of regulated entities must include reference to red-flags and typologies of suspicious transactions that their type and size of business are exposed to.

Roles and Responsibilities: The investigation framework for identifying, investigating, and reporting suspicious transactions forming part of AML policies and procedures must provide for role-specific responsibilities and define workflows across such roles such as that of transaction monitoring analyst, screening analyst, KYC analyst, AML CO or MLRO, and Senior Management. The suspicious transaction investigation framework and AML policies and procedures must be aligned to mitigate the ML/FT and PF risk arising from suspicious transactions.

Screening Software: The suspicious transaction investigation framework must contain clear details as to which screening software the regulated entity intends to rely upon and whether they have conducted an adequate amount of sanctions screening software testing and validation to reduce the incidences of false positives to ensure that their compliance efforts are focused. A screening software helps regulated entities identify whether the natural person or legal entity with whom they are conducting business is sanctioned, PEP, or has any materially relevant adverse media against them which might give them reasonable grounds to suspect that funds or transactions related to that customer might be proceeds of crime supporting M/FT and PF activities.

Transaction Monitoring Software: Transaction monitoring software for a regulated entity is the holy grail that helps them identify, investigate, and report suspicious transactions in real-time based on rules and parameters set during the configuration of the software for use by the regulated entity by the software vendor. Regulated entities must invest in well-adjusted transaction monitoring software and ensure that their suspicious transaction investigation framework contains dedicated software for transaction monitoring.

Staff training: For a suspicious transaction investigation framework to be effective, the personnel of the regulated entity must be adequately and appropriately trained with regard to the following aspects:

  • The red flags and typologies identified by the relevant regulatory authorities and the red flags and typologies specified within the suspicious transaction investigation framework of the regulated entity, which are specific to their business, triggering internal reporting mechanism.
  • The workflows in which suspicious transaction identification, investigation, and internal as well as regulatory reporting shall take place.
  • The timeframe in which suspicious transactions must investigated and reported.
  • The manner and format of filing internal as well as regulatory reporting narrative for suspicious transactions.
  • Every step and stepwise requirement for internal as well as regulatory suspicious transaction investigation process.

Suspicious Transactions Detection and Monitoring Tools

Regulated entities must seriously consider relying on suspicious transaction detection and monitoring tools or software. Relying on technology helps regulated entities scale by having compliance measures in place and reducing the element of human error.
Though there is ample variety of suspicious transaction detection and monitoring software in the market, regulated entities must adopt a risk-based approach when selecting a suitable software solution after conducting thorough market research, taking demos from vendors, shortlisting suitable vendors based on the business requirement of the regulated entity and making decision after thorough deliberations.

Suspicious Transactions Investigation Process

A regulated entity must have in place, a customised suspicious transactions investigation process. A suspicious transactions investigation process must broadly cover the following aspects:

Suspicious Transactions Investigation Process

1. Initial Assessment: A regulated entity needs to have in place an internal suspicious transaction identification and investigation process that charts out the red-flags and typologies of suspicious transactions that the regulated entity is vulnerable to. The identification of suspicious transactions is possible through the suspicious transaction identification framework, such as a software through which the personnel gets alerts or notifications based on the parameters set.

2. Data Gathering: The suspicious transaction investigation process must provide for the personnel of the regulated entity to gather as much information or data about the suspicious transaction as practically possible so as to use this data to understand underlying patterns and also use data to fill out Suspicious Transaction Report (STR) narratives for both internal STR reporting as well as to the UAE FIU through the goAML portal.

3. Pattern Analysis: A suspicious transaction investigation process must include measures to conduct pattern analysis so that after gathering information about the suspicious transaction, the transaction monitoring analyst or any other personnel responsible in the regulated entity can look into the transaction history of the customers to see if any pattern emerges that is consistent with typologies and red-flags indicating ML, FT, or PF possibility.

4. Risk Assessment: A regulated entity’s suspicious transaction investigation process should ideally include risk assessment procedures which works in alignment with the guidelines provided by the authorities in UAE.
For instance, after identifying and reporting a transaction as suspicious in nature, the regulated entity should ideally assign high risk rating to such customer and continue or discontinue the business relationship depending on its internal policies and risk-based approach.

5. Enhanced Due Diligence (EDD): A suspicious transaction investigation process must ideally include EDD measures and any other extra measures through which they intend to impose additional control such as seeking additional documents, limiting business activity with such customer, or any such control measures to mitigate the risk from continuing business relationship with such a customer.

6. Collaboration: A suspicious transaction investigation process should provide clear internal policies and procedures with regard to reporting to the FIU through the goAML portal and waiting for response from FIU, the actions it shall take in case no response received, and how it shall cooperate with the FIU if the FIU calls for submitting extra information regarding the transaction.

7. Documentation: A suspicious transaction investigation process must clearly state the methodology, tools, formats, sequence, and checklists for documentation of internal STR process as well as the documentation of STR on the goAML portal.

8. STR Submission: A suspicious transaction investigation process must clearly include steps, timelines, workflow escalation checkpoints, and overall process for STR submission on the goAML portal by the regulated entity.

Regulatory Requirements for Submitting STR

The UAE AML/CFT law requires the AML Compliance Officers of regulated entities to receive information, assess, analyse, study, and review the information regarding suspicious transactions and decide whether to file STR with FIU or not file STR while continuing business relationship with reasons to not file the STR.

The AML Compliance Officer of the regulated entity must ensure that all the required and necessary measures are taken to ensure that suspicious transaction identification and STR submission process takes place smoothly.

Challenges in Investigating Suspicious Transactions

The process of investigation of suspicious transactions comes with its own set of challenges, such as follows:

Challenges in Investigating Suspicious Transactions

Inadequate Data: If the information itself about a suspicious transaction is inadequate, such as the:

  • Names and details of individuals or entities involved in the suspicious transaction
  • What types of transactions triggered the alert in the transaction monitoring system
  • The location of the suspicious transaction
  • The specific times and dates of the suspicious transaction
  • The regulated entity’s reasons or reasonable grounds for identifying the suspicious transaction as suspicious
  • The way the suspicious transaction took place

Then, the results generated during the monitoring of transactions might generate inaccurate results, leading to an unsuccessful investigation due to a lack of adequate information.

False Positives: Another challenge during the investigation is coming across a transaction monitoring alert that is a false positive, meaning that the transaction monitoring system generated an alert but the alert identified a transaction wrongly as a suspicious one.

False Negatives: After false positives, false negatives pose a much grave challenge as this means transactions interpreted as non-suspicious ones might actually be suspicious ones, leading to non-reporting of them and consequent non-compliance and fines.

Encrypted Data: Data about transactions, when encrypted, makes their monitoring tricky as the regulated entity will not be able to identify indicators of suspicion, making it difficult to identify suspicious transactions in a timely manner for further investigation and reporting.

International Transactions:  When transactions are conducted across geographical boundaries, multiple factors play their role, such as regulations of the other country involved, mode of transaction, whether the country itself is high-risk, and so on, posing challenges to tracking and monitoring of the transaction.

Resource Availability: Another major factor creating a challenge for suspicious transaction identification and investigation is resource availability. Often, a regulated entity might not be able to invest in a transaction monitoring software, leading to depending on manual input in going through transaction registers to identify anomalies, leading to human errors.

Best Practices for Investigating Suspicious Transactions

To prevent the occurrence of challenges while investigating suspicious transactions, regulated entities can adopt the following best practices:

Best Practices for Investigating Suspicious Transactions

  • Objectivity: Regulated entities need to adopt objectivity while determining reasonable grounds for considering a transaction as suspicious in nature. Objectivity helps in investigating alerts, identifying typologies, and red-flags that help in ensuring timely reporting to the FIU. When regulated entities operate in the manner prescribed by their policies and procedures, their compliance with regulatory requirements becomes easy and problem free.
  • Timeliness: When regulated entities operate in accordance with set policies and procedures that mention timelines and timeframe within which each compliance related task must be executed, then the timely reporting of suspicious transactions to FIU is the outcome that the regulated entity strives to achieve.
  • Collaboration: Regulated entities in order to ensure continuous compliance that is free from hang-ups or obstacles must ensure collaboration with relevant regulatory authorities whenever required, this helps in building rapport and goodwill that helps with better handling and understanding of situations after submitting STRs.
  • Continuous Monitoring: Suspicious transaction monitoring is not a one-time task. It must be conducted on an ongoing basis to identify any anomalies in transaction patterns of a customer subsequent to their onboarding and help with dynamic management of ML/FT and PF risks.

Strategic Outlook on Investigating Suspicious Transactions

Regulated entities are prone to ML/FT and PF risks from their customers, the geographies to which their customers belong, and the mode, timing, frequency, and manner in which the customers execute their transactions. To mitigate the risks emerging from the transaction component, regulated entities must put in place a framework to investigate suspicious transactions and set up an internal process to report them to the FIU through the goAML system.

Picture of Purva Buch
Purva Buch

Purva is a Certified Anti-Money Laundering Specialist (CAMS) and a Lawyer with 5+ years of experience.

She has substantial knowledge of Anti-Money Laundering Laws, Rules, Regulations, and AML Compliance Processes. Purva has been instrumental in drafting RegTech processes, corporate policymaking, and fulfilling various legal research and drafting requirements arising from AML laws and regulatory technology.

CAMS, LLB

Join our Waitlist