INVESTIGATION METHODOLOGY

IN TODAY’S BANKING ENVIRONMENT

John Bree

Former Managing Director

Deutsche Bank

United States of America

May 12, 2017

FBI investigation continues into 'odd' computer

link between Russian bank and Trump

Organization

DEUTSCHE BANK’S $10-BILLION SCANDAL

How a scheme to help Russians secretly funnel money offshore unravelled.

New Investigation Names Wall Street Banks

Behind $3.8 Billion Dakota Access Pipeline

Wells Fargo shareholders call for a new, broader

probe into the bank's accounts scandal

A.T.F. Filled Secret Bank Account With Millions From Shadowy Cigarette Sales

Banks were colluding on forex deals while

South Africans fretted about a volatile

rand

Up to a dozen banks are reportedly investigating potential SWIFT breaches

The incidents are part of a larger trend of cybercriminals targeting financial institutions

directly instead of customers

Internal

Government

HackerClient

Organized Crime

Always One Thing In Common………………….

Internal

Government

HackerClient

Organized Crime

BANK

…………………………………………….You Guessed it!

Internal

Government

HackerClient

Organized Crime

BANK

Press

Compliance

Human

Resources

Law

Enforcement

Regulator……and all our new best

friends!

WE WILL DISCUSS

➢ The rapid increase in transaction velocity and structure

➢ Platforms

➢ Portals

➢ Devices

➢ Storage

➢ Outcomes of the previous tried and true methods

➢ The “Ws”

➢ The “Hs”

➢ The “Ps”

➢ Importance of the use of predictive analytics

➢ Trending

➢ Peer Comparison

➢ Cross Function Interaction…………………..better known as Collusion

➢ Avoid Surprises

BUT FIRST……………………………………….THE BASICS

Know the players

Establish internal and external relationships

Run Crisis Management like incident exercises

Have a Media and Public Relations process in place and tested

Keep your SME list current

Establish Strategic Partnerships with external experts

Keep NDAs and MSAs up to date

Understand the eDiscovery process

Device analysis and interrogation

FBI investigation continues into 'odd' computer

link between Russian bank and Trump

OrganizationDEUTSCHE BANK’S $10-BILLION SCANDAL

How a scheme to help Russians secretly funnel money offshore unravelled.

New Investigation Names Wall Street Banks

Behind $3.8 Billion Dakota Access Pipeline

Wells Fargo shareholders call for a new, broader

probe into the bank's accounts scandal

A.T.F. Filled Secret Bank Account With Millions From Shadowy Cigarette Sales

Banks were colluding on forex deals while

South Africans fretted about a volatile

rand

Up to a dozen banks are reportedly investigating potential SWIFT breaches

The incidents are part of a larger trend of cybercriminals targeting financial institutions

directly instead of customers

Remember these?

40 plus years has

taught me a

critical first step

This

Not This

VELOCITY ▫ DIVERSITY ▫ STRUCTURE ▫ AVAILABILITY ▫ LINKAGE➢ Cloud; Block Chain; PaaS; IoT; RPA; etc

➢ Know how and where data is processed and who are the senior managers

➢ Traditional Party-Counterparty settlement is changing

➢ A receiving party out of proof status has always been a critical element of the control environment and early warning signal

➢ We must have the capability to rapidly locate, assess and analyze both structured and unstructured data….Hadoop changed the world

➢ eDiscovery

➢ Written

➢ Spoken

➢ Transaction

➢ Physical

➢ Platforms and Systems are often shared and managed externally

➢ Portals

➢ Devices

➢ Storage

THE TRIED AND TRUE METHODS….STILL WORK➢ The “Ws”

➢ What? The incident without the emotion or excuses

➢ Where? Business/Unit/System/Application/Location

➢ When? Entire timeline

➢ Who? Direct and Indirect. Primary, Secondary, Tertiary. Collusion.

➢ Why? Motivation. Blackmail. Retribution. Political. Terrorism.

➢ The “Hs”

➢ How? Control Absence or Gap

➢ History? Has this occurred previously?

➢ Hear say? Separate the Facts from the Fantasy.

➢ The “Ps”

➢ Plan the Investigation and Research

➢ Peers?

➢ Previous mistake that was “cleared”. Testing the waters.

➢ Process. Document every step and result.

BEHAVIORAL ANALYTICS

Nothing new, we use it all the time………..

Web Searches………people have also viewed ____

Marketing………people have asked for _______

Sales………people who buy this also buy _______

Fraud detection

Credit Card misuse

Rouge trader activity

System logs

…and it has many styles

…and uses many indicators

AVAILABLE INDICATORS

Clients

Locations

Incidents

Financial health

Media

Announcements

Regulatory Websites

Internal External Invoices

Volumes

Entitlements

Access requests

Errors & Omissions

Email & Text

Voice communication

LET’S EXPAND Invoices

Frequency

Change in cycle

Change in day of month

Format

Different information

Instructions

Change in receiver

Amount

Why did it change?

Why did it not change?

Tax

Expenses

Subcontractors?

INDICATORS……..

Volumes

Transaction change…..is the delta reasonable?

Entitlements

Is the monthly request within accepted tolerance?

Turnover?

Building Access and ID requests

Spike?

Emails

Change in Provider address

Increase or Decrease in traffic

EXTERNAL, PUBLIC INFORMATION

Clients

Does the provider have new clients? Counterparty?

Locations

Has the provider moved? Concentration?

Incidents

What, where, when, who, how?????????

Financial health

Stability; Change; Sustainability

Media

What’s the buzz?

Announcements

Growth; Merger; Acquisition; ……Indictment?

ANALYTICS

Indicator 1

Indicator 2

Indicator 3

Indicator 4

Indicator 5

Indicator 6

Indicator 7

Indicator 8

Indicator 9

F

I

L

T

E

R

ENGINE

V

A

L

I

D

A

T

I

O

N

Action

Escalation

Report

Action

Escalation

Report

Action

Escalation

Report

Action

Escalation

Report

Action

Escalation

Report

Indicator 10

Indicator N

PARAMETERS, TRIGGERS AND PATTERNS

Create parameters based on an assessment of past

ACCEPTABLE activity

Triggers can be static or relational

Remember, a delta can be either up or down

Patterns can be developed using historical indicator values

and creating a Pattern over a prior period..........6, 12,18 or 24

months

Be considerate of SEASONAL impact

Approved breach…..unique or parameter/trigger change?

PATTERNS CONTINUED

Patterns can also be created based on a validated

incident………loss/breach/failure

Do a look back and create a pattern based on previous

indicator values

Predictive Analytics uses a breach of ANY one or two indicator

triggers and generates an automatic assessment of all the

indicator values…………and then a match to a previously

verified pattern.

**********************************************

And don’t forget the importance of

R&CSA

CONTINUOUS ASSESSMENT AND ENHANCEMENT IS THE

KEY TO SUSTAINABILITY

Providers and

Consumers

Risks

End to End

Governance

Lifecycle

Management

Risk

parameters

Internal and

External data

Triggers

Pattern Matching

Risk & Control Assessment

PRODUCTS & PLATFORMS

Streamlined Third Party Assessments

Enhanced KYV and Due Diligence

Integrated Risk Analytics

Relationship Lifecycle Management

Activity Monitoring

Enhanced Surveillance with AI and ML

End to End TPM

Third Party IS Threat Detection

You have confirmed one of my theories:

I always end a presentation with more knowledge and ideas

than when I started.

Thank you for your time and participation!

John Bree

SVP & Partner

Neo Group Inc.

john@neogroup.com