Skip to content
Harriet Shaw

The spider's web of threat detection: which threats you are catching?

When I think about transaction monitoring rules, I like to imagine a mess of spider’s webs – overlapping and tangled together. The webs are so large and tangled that they catch many flies, more than the spiders can eat. Attracted by the success of the first spiders, more build new and overlapping webs, catching ever more insects. The spiders must work hard to identify which are flies they can eat. Some flies get eaten, some don’t, some remain there rotting for some time. The clever flies, notice the fly graveyard and by-pass the webs all together. They are never caught.

So, the webs are transaction monitoring rules, and the flies are the criminals…. you’re with me, right?

Each web catches multiple flies

I often speak to both customers and tech providers about designing transaction monitoring rules. It is common for this to be a very challenging exercise, particularly when it comes to designing rules that target a particular criminal activity or threat. Or even just understanding what level of coverage each individual rules gives you against criminal activity. This challenge seems to be paramount when it comes to deploying up-and-coming new detection techniques.

Detection rules such as ‘ cash deposit – large sums accumulated over time ‘ span multiple threats, this could a sign of human trafficking but also BEC fraud. While ‘ frequent and extensive payments of passenger tickets, e.g., rental of vehicles ‘ could be sexual exploitation or forced labour.

In other words, it is almost impossible for those designing rules to be clear which flies they are catching, and which are soaring on by.

Many flies to one web and many webs to one fly

Let’s bring the challenge to life. Imagine designing a targeted transaction monitoring rule for sexual exploitation. Some examples of transactional risk indicators could include ‘ high proportion of cash deposits and withdrawals, unusual late-night activity, transfers in-coming and immediately withdrawn, high proportion of payments for hotels/serviced accommodation/transport, lack of other lifestyle payments ‘. These are all potential signs of sexual exploitation but depending on how you combine these risk indicators to form detection rules, you could also be detecting illegal waste trafficking, cash smuggling, or forced labour.

Without mapping the relationship between transactional risk indicators and threat type, you cannot be completely clear on what other types of criminal activity each is picking up.

There are many organisations that have made valiant efforts to map transaction monitoring rules to threats. Resulting in a very complicated spreadsheet, with multiple colours and many merged cells attempting to map the many to one and one to many relationships. A huge headache!

Detangling the webs

To detangle the mess of spider webs, we need to be clear on the rules we have in place, and which threats they are covering.

The key is to use technology to make the link between individual transactional indicators and the threats they are associated with. There are too many connections to do this manually and it is a huge challenge to keep track of this yourself.

Imagine a database of financial crime threats and risks, where each individual transactional risk indicator is linked to the threats it is relevant to. With just a few clicks you could find out which threats your transaction monitoring rules are covering…


Overview of Acuminor’s database of financial crime threats and risks.