How Public Data Drives Proactive Prevention of Financial Crimes in the Wake of Disaster

It is no secret that financial fraud follows natural disasters. The two are so closely entwined that the Justice Department saw it fit to establish the National Center for Disaster Fraud soon after Hurricane Katrina. The unfortunate reality of our cacophonous, modern world is that even though there are always helpers to be found after such catastrophes, there are also some who use those difficult moments as an opportunity to help themselves.

After the recent bout of hurricanes and wildfires this fall, the Financial Crimes Enforcement Network (FinCEN) put out an advisory to warn financial institutions to look out for specific kinds of suspicious financial activity. The advisory warned against benefits and charity fraud, particularly noting attempts to elicit funds on websites disguised to look like familiar charities and deceptive campaigns on crowdfunding sites.

To gain an understanding of the landscape of financial activity after major natural disasters, we examined FinCEN’s publicly available data on suspicious activity report (SAR) filings.

FinCEN’s SAR data provides a glimpse into the aftershock within financial institutions in the wake of a disaster. In order to see how a local area may be affected after an event such as a hurricane, flood, or mudslide, we examined the changes in the number of filings of affected states relative to other parts of the country.

Because the data encompasses more than 80 suspicious activity categories, the pattern of filings can be somewhat noisy. We regrouped FinCEN’s suspicious activities into 13 categories based on groupings introduced in prior FinCEN reports and our own analysis. The categories included groups such as fraud, structuring, customer behavior, cyber-related activities, etc. We found that for several natural disasters, cyber- and insurance-related activities spiked within a year of a given disaster.

Though we’ve taken steps to ensure that the spikes we’ve examined are meaningful departures from the norm for a given state, it is not possible to establish a causal relationship between the spikes and the natural disaster.

For example, hubs of financial activity such as New York see a wide range of spikes in any given time window. In other cases, there are multiple events that may be triggering an increase in activity. In Texas, there were spikes in both insurance-related fraud and terrorism-related suspicious activities in the first year after the 2015 floods. The missing context, in this situation, is that Garland, Texas had been the site of the first ISIS claimed attack on U.S. soil in 2015.

Other areas presented a somewhat simpler picture: Washington state, after its 2014 mudslide, only had a meaningful spike in insurance-related reports, and Colorado, after its 2013 floods, only saw a significant uptick in cyber-related filings. Though other categories saw a few suspicious activity types deviate from the norm, the groups of activities within the other categories remained relatively quiet after the natural disasters.

There were also a few trends that emerged across 21 major natural disasters we examined. In the first three months after a disaster, the most common activities to lurch upwards involved Automated Clearing House (ACH) transactions, account takeovers, and multiple individuals with similar identities. Whereas, after six months, the suspicious activities involving business loans became more common.

To view an interactive version of the chart above, click here.

Our analysis examined a relatively small subset of natural disasters. It would be valuable for financial institutions to collect additional data on the types of suspicious activities that tend to spike after natural disasters and other types of major events. An expansion of our analysis to a larger set of events has the potential to yield meaningful patterns that can inform how financial institutions create and adjust monitoring rules in a more proactive manner.

Our analysis of SARs data around past events supports what we know from the new FinCEN advisory and what we might guess from news reports: cyber-related and insurance-related activities require special attention after a natural disaster. It should, however, alert financial institutions to an intriguing possibility: there is enough evidence in just the aggregate count of SAR filings to allow financial institutions to have anticipated the 2017 FinCEN advisory on natural disasters by years.

In other words, for a financial institution that is collecting data on their processes and making an effort to overlay that information with additional data containing contextualizing factors (such as major events), the FinCEN advisory need not be new information.

The advisory does, however, provide yet another important hint as to what financial institutions can do to be more proactive after a disaster. It echoes the warnings of a report by the Center of Internet Security that highlights anticipated activity involving fake charities and fraudulent websites. Intriguingly, the report mentions the appearances of new web domain name registrations that include the names associated with high-profile events, including named storms. Financial institutions could use external data such as domain name registrations to evaluate how suspect account activity may be. They could also utilize data from IRS Form 990s submitted by non-profits to assess the legitimacy of charities.

A world of external datasets, including the public SARs data, could help financial institutions to not only make sense of trends in filings in particular areas after natural disasters, but also enhance mechanisms for monitoring and assessing flagged instances of suspicious activity in the future. The insights gleaned from this data can point not only to ways to better manage the aftermath of major events, but also to how institutions can be more strategic about their data operations moving forward. Specifically, in the wake of a natural disasters, financial institutions can tweak customer risk models to detect areas of vulnerability or re-deploy resources to respond to case types of anticipated spikes. A quicker response time would allow financial institutions to both minimize potential of business losses and critically, alert authorities to investigative leads.

Increased data availability and information-sharing across the public and private sectors allows for more opportunity to share these insights with the relevant parties — a necessary preparation for storms to come.

Originally published at www.enigma.com on December 21, 2017.