Monitoring money laundering activities with the Splunk App for Behavioral Analytics
As a financial services provider, your organization must comply with anti-money laundering (AML) regulations. Money laundering often involves complex schemes to disguise the origin of illicit funds through multiple transactions, often involving high-risk countries or unusual transaction patterns. To protect your customers and comply with regulations, you need to detect activities like structuring (smurfing), rapid movement of funds, and transfers involving high-risk jurisdictions.
Detecting AML& activities can be a significant challenge for compliance teams, as threat indicators and money laundering tactics constantly evolve.
This article shows you how to use the Splunk App for Behavioral Profiling to create advanced techniques leveraging user behavioral analytics to stay ahead of emerging threats. For basic searches in the Splunk platform to create basic detection methods, see Monitoring for money laundering activities& with the Splunk platform.
Prerequisites
- Splunk Enterprise version 9.x.x+ or higher / Splunk Cloud Platform version 9.xx + or higher
- Splunk App for Behavioral Profiling, which should be installed and configured
- Splunk Machine Learning Toolkit
- Python for Scientific Computing
- Sample fraud data for Splunk App for Behavioral Profiling
Data required
- Application data for consumer financial applications
How to use Splunk software for this use case
The Splunk App for Behavioral Profiling leverages advanced machine learning models that continuously analyze transaction behavior over time. By establishing a baseline of normal activity for each account, the app identifies deviations such as unusually large transactions, rapid fund movements, or transactions involving high-risk jurisdictions.
Incorporating these techniques will enable you to proactively detect potential money laundering activities, reduce the need for manual investigations, and enhance your overall compliance and fraud prevention strategy.
Make sure to use the correct index and added parameter values appropriate to your organization while defining your behavioral indicator search. You'll do this in step 2 of the below processes.
Structuring (Smurfing) detection
Detecting multiple small transactions that together represent a large amount can indicate attempts to avoid detection by breaking down transfers. Recognizing this pattern early helps institutions identify potential money laundering tactics like smurfing, which involve fragmenting funds to bypass reporting thresholds,& strengthening compliance and security efforts.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect structuring or smurfing
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index=payment_transactions action=authorized amount<400
. - In Entity Field, select customer. In Other Fields, select amount, _time, and vendor. Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select avg.
- In Function Field, select amount.
- In Split Timespan, select& Yes.
- In Time Window, select& 1h.
- Click& Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Specific Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select avg (amount). Click Next.
- In Std. Dev Threshold select 2.& You can also choose to add& Advanced Settings to configure the Standard Deviation Threshold.& Click Next.
- In Scoring Method select Static. Set Scoring Value to 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Rapid movement of funds
Quick and successive fund transfers between accounts might indicate layering - a tactic in money laundering to obscure the origin of funds. By identifying accounts with unusually frequent transfers, institutions can assess potential risks and detect suspicious activity, minimizing opportunities for illicit financial flows.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect& rapid movement of funds
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index=firstfederal
. - In Entity Field, select account_number, and in Other Fields select transaction_type& . Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select count.
- In Function Field, select transaction_types.
- In Split Timespan, select& Yes.
- In Time Window, select& 30m.
- Click& Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify that your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select count(transaction_count). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In& Scoring Method select& Static. In Scoring Value select& 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Transactions involving high-risk jurisdictions
Transactions routed through high-risk jurisdictions often carry an elevated risk of money laundering. Monitoring for transfers linked to regions with weak& AML regulations allows institutions to apply extra scrutiny, helping to ensure compliance with international standards and reducing exposure to illicit activities.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect transactions involving high-risk jurisdictions
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index="firstfederal" transaction_class=international
. - In Entity Field select account_number, and in Other Fields select _dest_country& and dest_ip& . Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select dc.
- In Function Field, select dest_country and dest_ip.
- In Split Timespan, select& Yes.
- In Time Window, select& 1h.
- Click& Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select dc(dest_country). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In Scoring Method select Static. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Unusual transaction behavior
Atypical transactions, such as unexpectedly large transfers, can be a red flag for higher-risk behavior. Identifying outliers that deviate significantly from a customer’s usual activity enables institutions to investigate potential fraud or laundering, supporting both fraud prevention and regulatory compliance.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect unusual transaction behavior
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index=firstfederal
. - In Entity Field select account_number, and in Other Fields select _time, amount, channel, account_type, dest_country, and device_info. Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select dc.
- In Function Field, select amount, dest_country, and channel.
- In Split Timespan, select& Yes.
- In Time Window, select& 1h.
- Click& Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select dc(action). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In Scoring Method select Static. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
Next steps
Use your results to make recommendations to the rest of the security team about which accounts should be investigated for potential account takeover. Create reports and schedule them to run at a regular cadence as needed. Be sure to follow any industry policies and regulations that are required for compliance.
To further advance your use cases, the Splunk Essentials for the Financial Services Industry app helps you automate the searches to detect financial crime. The app also provides more insight on how searches can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully.
The Splunk App for Fraud Analytics provides Splunk Enterprise Security users with a number of other fraud detection solutions for financial services, such as account takeover and new account abuse.
The Splunk App for Behavioral Profiling& is a collection of workflows which enable you to operationalize machine learning driven detection and scoring of behavioral anomalies at scale in complex environments, correlated to profile and highlight the entities which require investigation.
If you have questions about monitoring for account takeover in your environment, you can reach out to your Splunk account team or representative for comprehensive advice and assistance. You can contact your account team through the Contact Us page. For more in-depth support, consult Splunk On-Demand Services to access credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.
In addition, these resources might help you understand and implement this guidance:
- Use Case Explorer: Risk-based alerting
- Use case: Monitoring consumer bank accounts to maintain compliance
- Use case: Detecting credit card fraud
- Use case: Detecting wire transfer fraud
- Use case: Investigating interesting behavior patterns with risk-based alerting
- Use case: Monitoring new logins to financial applications
- Use case: Using modern methods of detecting financial crime
- Use case: Detecting multiple account login denials followed by authorization