As a follow up to my AML and OSINT post I did last week, here’s an intriguing and insightful interview with Andrew Rudd on different aspects of AML and how OSINT is related to the career field. Learn from Andrew how you can apply your OSINT skills to a different career field and where the future of both fields are heading. I hope you enjoy this as much as I did and look forward to a new episode of the podcast where I discuss both my previous blog post and this interview in the near future!
Who are you? What is your background?
I am Andrew Rudd and currently live in the Greater New York area. I have an accent, a mix of British and American. I served in law enforcement for more than 12 years in the UK, where I had focused on mostly doing intelligence work as well as working on covert investigations, criminal finances, and counter terrorism. I decided to stay in police officer roles instead of becoming a detective and working the same cases day in and day out. I found myself being able to learn more across a range of cases and specialist policing areas. I now work for an international bank as part of one of the leading Financial Crimes Compliance (FCC) programs in the banking industry. The group I work in is focused on conducting deep-dive intelligence analysis on global financial crime and terrorist financing concerns.
How did you get into OSINT?
I really started using the internet for investigations in the early to mid-2000’s when I worked in a divisional intelligence unit. It became extremely useful to leverage open source mapping tools to gather information about locations we had an interest in, whether it was for conducting search warrants, for targeted operations, or to identify locations to conduct surveillance from. We had also started seeing an increase in the use of online forums between criminal groups. In 2004 we had investigated some of the Eastern European ATM skimmer and carder gangs into Central London. It was really interesting to see their progression in sophistication and how they developed their TTP to include the internet.
What OSINT tools or tactics do you use in your work?
Search engine wise I spend time using Google, Yandex, Baidu, and Searx. I can spend a lot of time reviewing company registration websites, like Companies House, trying to find the beneficial ownership of entities. If I have a website for a company I’ll try to exploit that and see if there are any connected domains/sites giving me additional company names to conduct further research on. I’ll often use Domain Tools, IPaddress.com, CentralOps, Passive DNS, and Yougetsignal. I am fortunate to be able to use i2 Analysts’ Notebook to turn this information to something more actionable. Its always nice to see things in pictures.
I know you from your work in AML. What do you think is the biggest connection between OSINT and AML?
Definitely the investigative mindset. Working in AML, specifically in an investigative capacity, you have to be curious and want to understand the activity in front of you. What is the source of funds? Who is the beneficial owner? What assets do they have and how did they pay for them? What is the purpose of the transactions I am seeing?. To answer these questions you need to leverage multiple sources, but one of the biggest ones I’d say is the use of open sources. OSINT is critical to conducting these, often complex, investigations. An investigator being able to proactively collect and analyze open source information needs to have that same mindset and know how the information applies to their investigation.
What’s the future for OSINT? Considering data privacy laws like GDPR becoming popular, what obstacles do you see OSINT investigators facing in the future?
GDPR was a big one for me. It was a great source of information as to who might be behind a company based on their registrant details. While you can still get some domain information through OSINT it has been a significant dent as a resource. I think we’ll continue to see some more restrictions on data due to privacy concerns, but as an OSINT community I think we are fairly adaptable and will find ways to locate the information we need. The great thing about the OSINT community is increasing the use of forums, Twitter, and blogs sharing of information on the subject matter and new open source tools which assist in conducting our intelligence gathering.
Back to AML. For those who are looking to break into the field with an OSINT background, what can they do to become more competitive in that space?
It depends on what type of financial institution they want to work for as most have a range of banking products, such as retail, commercial, private wealth, securities, trade, and correspondent banking. All institutions will have compliance programs and should absolutely have analysts and investigators working to review alerted activity. OSINT can absolutely be applied to all of these banking areas as an investigator. I would say the first thing would be to take a look at Indeed and Glassdoor at the job descriptions to see what investigation or intelligence roles have listed as requirements. Focus on the job requirements to see if you can learn the skills they are looking for or if your current experience just needs to be expressed the right way in a resume. I’ve see plenty of people with no financial background get hired and learn the job fairly quickly (you don’t need to have math skills either!). You’ll need to think about location too. Big banks are generally located in places like New York, Pittsburgh, and Charlotte, but there are others spread out in other places too. For example, HSBC has investigators located in Chicago, while Citi has places in Tampa and Texas. I definitely say read up on FinCEN Guidelines, Financial Action Task Force (FAFT) Recommendations, and European Directives (good for international banking). I would also suggest reading indictments on current cases to see if you can learn how the criminal groups are operating/moving funds, or the OCCRP has great resources on criminal networks and their financing. I’ve been a member of the Association of Certified Anti-Money laundering Specialists (ACAMS) and the Association of Certified Fraud Examiners (ACFE) for many years, and in the UK, for example, they have the International Compliance Association (ICA). They have some great material whether it be their magazines, newsletters, or training material. Where possible, I am always happy to have conversations on how people can try to move into the industry.
What’s the biggest misconception you’ve heard about OSINT? What about AML?
I’ve absolutely had bosses that didn’t understand what they were asking for when it comes to OSINT and how long it would take to complete a tasking. I’ve also had senior management stunned that we could locate information using the internet (even as simple as monitoring Twitter for gang or protest activity). Depending on the requirement I would always include expected time frame and some education on why it might take a little longer than they expected. From an AML standpoint; I think that most people don’t understand the role of AML within the financial industry. Some people think we are there to protect crooked bankers, or just conduct bank fraud investigations, and occasionally been accused of being a banker myself (I think I’d rather be a lawyer first). They don’t see that some of the significant indictments or investigations come out of the work AML teams do across the sector. There are some very dedicated people in the industry committed to fighting financial crime.
Do you see the OSINT or AML craft being subjected to automation? What’s the value added of human interaction with the data?
We’ve definelty seen an increased use of automation in the AML field. Most AML cases in financial institutions are created through automated alerts where specific transactions are alerted because of a predetermined detection scenarios. There are companies out there that are looking to further the use of AI and machine learning to push the use of automation even further within banking, but the bottom line is an investigator will still need to review the activity. The human investigator can analyze information and make judgments in ways that the machine cannot. A more detailed look at what detection scenarios are can be found here.
You come from a public sector background (law enforcement). What were the biggest obstacles you faced transitioning from the public to private sector with your skill set and terminology?
Not only did I come from a law enforcement background, but also a different country, so trying to convey how my UK background related to that of a US candidate. It was very frustrating for the first month or so, and my first offer came with the potential move to work for Houston Police Department but I then fell into a contract AML role in New York. Looking back now I think I have often undersold my experience in my resumes and should have looked at changing the terminology used to match that of the job description so it makes it easier for the recruiter/hiring manager to understand where you are coming from. You can always address this further during the interview stage to make it clearer. For those looking to make the move use LinkedIn and look at people who have made similar transitions into the field, even reach out to some of them to seek out advice.
What’s one resource you’ve found to be irreplaceable or something you think others may not be aware of?
I think I’ll say what I need the most. Definitely would love to be able to use more open source tools which can’t be accessed from a corporate network. Most AML functions aren’t fully on board with the need for specialist tools for the type of work we could be doing, going that extra step. And truthfully, not all AML roles require it. Certainly those of us in a proactive capacity should be looking to work on standalones and/or virtual machines. I’ve worked with some great vendors to look at virtual machine options, such as Ntrepid and Authentic8.