Financial Crime Investigation Workflow for Indian BFSI

Last updated: April 26, 2026

Financial crime investigations — fraud, money laundering, embezzlement — combine traditional forensic accounting with modern OSINT and digital forensics. For Indian BFSI compliance teams and external investigators, the workflow has standard phases. This article covers the practitioner workflow.

The investigation phases

1. Trigger / referral — internal SAR (Suspicious Activity Report), regulator query, customer complaint, whistleblower
2. Scoping — define subject, time period, suspected modus operandi
3. Data acquisition — transaction logs, KYC, communications, device data
4. Forensic analysis — patterns, anomalies, network of associates
5. Reporting — internal MIS + regulatory filings (FIU-IND, RBI, SEBI as applicable)
6. Action — account closure, customer notification, law enforcement referral

Data sources

Common patterns

1. Layering / transaction laundering

-- Identify rapid pass-through patterns (mule accounts)
SELECT account_id, COUNT(DISTINCT counterparty) counterparties,
       SUM(amount) total_inflow, SUM(amount) total_outflow,
       AVG(time_held_seconds) avg_dwell
FROM transactions
WHERE date BETWEEN '2026-01-01' AND '2026-04-30'
GROUP BY account_id
HAVING avg_dwell < 3600  -- average holding time < 1 hour
   AND total_inflow > 1000000
   AND ABS(total_inflow - total_outflow) < total_inflow * 0.05;

2. Structuring (smurfing)

Multiple deposits just below reporting threshold (₹10 lakh for cash transactions per PMLA).

SELECT account_id, COUNT(*) deposits, SUM(amount) total
FROM transactions
WHERE txn_type = 'cash_deposit'
  AND amount BETWEEN 900000 AND 999999
  AND date > NOW() - INTERVAL '90 days'
GROUP BY account_id
HAVING COUNT(*) > 3;

3. Round-tripping

Same money flows out and back via intermediaries — common in trade-based money laundering, shell company transactions.

4. Lifestyle inconsistency

Subject’s declared income vs spending pattern. OSINT (social media, vehicle ownership, property) reveals discrepancy.

The toolchain

• SAS AML / Actimize / Quantexa — commercial AML platforms with network analytics
• Maltego — visualise relationships across subjects, accounts, companies
• Neo4j / TigerGraph — graph databases for relationship analysis
• i2 Analyst’s Notebook — investigation-grade visualisation (legacy but widespread)
• Cellebrite / Magnet AXIOM — mobile device forensics

Regulatory filings

• STR (Suspicious Transaction Report) to FIU-IND (Financial Intelligence Unit) — for any transaction beyond declared business pattern, ₹10L+ cash, etc.
• CTR (Cash Transaction Report) — >₹10 lakh cash transactions reported routinely
• CCR (Counterfeit Currency Report) — counterfeit notes detected
• NTR (Non-profit Organisation Transaction Report) — specific to NPOs

Filing windows vary; STR is “promptly upon detection” with 7-day window typical for standard cases.

Compliance angle

• Prevention of Money-Laundering Act (PMLA) 2002 — primary statute
• RBI Master Direction on KYC — onboarding and ongoing due diligence
• RBI Master Direction on AML — STR, ongoing monitoring
• SEBI / IRDAI sectoral overlays for capital markets / insurance
• FATF recommendations — international framework Indian regulations align to

The takeaway

Financial crime investigations combine SQL-driven pattern detection, graph-based relationship analysis, and OSINT. The workflow is well-defined; the differentiator is data quality and analytical sophistication. AML platforms automate routine detection; complex investigations need bespoke analysis. Regulatory filings (STR / CTR) are the operational output.