Skip to main content

Lesson 19 of 25

Evidence, Interviewing & Source Analysis

4 min read · CFCS

Protect evidence with an unbroken chain of custody, understand admissibility, interview with rapport and a plan, and grade your sources for reliability before you rely on them.

Evidence has to survive scrutiny

  • Findings may reach regulators or courts
  • How you gather and handle evidence matters
  • Integrity and authenticity are everything
  • Sloppy handling can sink a strong case

An investigation is only as strong as the evidence behind it, and evidence has to survive scrutiny, from a regulator, an auditor, or a court. The how of gathering and handling evidence matters as much as the what. The best documentary proof in the world is worthless if you can't show it's authentic and that it wasn't altered.

Imagine a perfect spreadsheet of suspect transfers that the defense shows was edited after collection, suddenly it proves nothing, and your credibility takes the hit. A specialist treats evidence with care from the first moment, labeling, securing, and logging it, because sloppy handling can sink an otherwise airtight case. Under the Federal Rules of Evidence, the side offering proof bears the burden of showing it's what they claim it is.

Let's cover the essentials: chain of custody, the basics of admissibility, effective interviewing, and how to weigh your sources.

Chain of custody

  • Document who handled evidence, when, and why
  • Unbroken trail from collection to use
  • Protects integrity and authenticity
  • Applies to digital evidence too

Chain of custody is the documented, unbroken trail showing who collected a piece of evidence, when, where it was stored, and everyone who handled it afterward. Its purpose is to prove the evidence presented is the same evidence collected, unaltered. A gap in the chain, an unlabeled exhibit, a missing signature, an hour no one can account for, lets the other side argue the evidence was tampered with or substituted, and a judge may exclude it.

This applies fully to digital evidence, emails, transaction logs, device images, which is fragile and easily questioned, so investigators capture forensic copies and use techniques like hashing, a digital fingerprint, to prove a file hasn't changed since collection. On the exam, when evidence integrity or the question who touched this and when is at stake, chain of custody is your answer.

Admissibility basics

  • Relevant, reliable, and lawfully obtained
  • Authentic and properly preserved
  • Illegally gathered evidence may be excluded
  • Work product and privilege considerations

You don't need to be a lawyer, but you should grasp the basics of admissibility. To be useful in a proceeding, evidence generally must be relevant to a fact in issue, reliable, authentic, and lawfully obtained, the same themes the Federal Rules of Evidence build on. Evidence gathered illegally, say by hacking an account, pretexting, or trespassing, may be excluded entirely, and worse, taint everything it led to, what lawyers call fruit of the poisonous tree.

There are also privilege and work-product considerations: certain communications, like genuine legal advice between a client and counsel, may be protected from disclosure. The practical rule for an investigator is simple, gather lawfully and document carefully, keeping originals secure and noting your methods, so that nothing you find is thrown out on a technicality later. A common exam distractor is evidence that's compelling but obtained the wrong way.

Interviewing

  • Plan, build rapport, then question
  • Open questions first, then specifics
  • Listen for what's avoided, not just said
  • Stay lawful, ethical, and documented

Interviewing is a core investigative skill. Effective interviews are planned, not improvised: you know your objectives and the evidence before you sit down, and you decide in advance which facts to confirm and which to test. You build rapport, because people share more when they're at ease, then move from open questions that let the subject talk, tell me how this account is used, to specific questions that pin down details, who authorized this wire on the third.

A skilled interviewer listens for what's avoided as much as what's said, watches for non-answers, and notices when a story shifts under gentle pressure. Throughout, the interview must stay lawful and ethical, no coercion, no threats, no deception that crosses legal lines, and it must be documented promptly and accurately, because contemporaneous notes carry weight that later recollection does not, and may themselves become evidence.

Source analysis and recap

  • Assess reliability of the source
  • Assess credibility of the information
  • Corroborate before relying
  • Recap: chain of custody, admissibility, interviewing

Finally, source analysis. Not all information deserves equal trust, so investigators separately judge the reliability of the source, has this person or system been accurate before, from the credibility of the specific information, does it fit the other evidence. A reliable source can still pass along a bad tip, and an unreliable source, even a disgruntled insider with an axe to grind, can occasionally be right, so you corroborate before you rely, confirming a key fact through an independent second source rather than acting on a single uncorroborated claim.

This is exactly why the FFIEC manual and good investigative practice prize documentation and independent verification. So, recap: protect evidence with an unbroken chain of custody; gather lawfully so it's admissible; interview with a plan, rapport, and good documentation; and grade your sources for reliability and credibility, corroborating before you act. Next, we cover public records, OSINT, and following the money.

Test yourself first.

Sources

  • Federal Rules of Evidence (chain of custody, admissibility principles, generically)
  • FFIEC BSA/AML Examination Manual (recordkeeping)
  • ACFE investigation/interviewing guidance (generically)
  • ACFCS CFCS 'Investigations'

Test your knowledge

A few CFCS questions on this material — pick an answer to see the explanation.

  1. Q1. A U.S. company discovers it inadvertently processed 12 wire transfers to a non-SDN company that is majority-owned by two SDNs — a fact the U.S. company did not realize because it only screened names against the SDN List. It now self-discloses to OFAC. Which compliance failure does this scenario illustrate, and what should the program have included?

  2. Q2. A launderer converts Bitcoin into Monero (a privacy coin) and then back to Bitcoin before cashing out at a lightly regulated exchange. Which crypto-laundering technique does this chain illustrate?

  3. Q3. A compliance team proposes collecting and indefinitely retaining all transaction data on every customer 'just in case it is useful in future investigations.' Which GDPR principle does this most directly violate?

  4. Q4. A BSA officer proposes lowering the transaction-monitoring alert threshold from $50,000 to $5,000. The operations team objects because this will generate 10,000 alerts per day instead of 500. What is the primary risk of alert volumes that exceed the team's review capacity?

Ready to practice?

Put this lesson to work on real CFCS questions.

Drill the full CFCS bank →