Investigative Methodology & Intelligence

We now enter investigations, one of the largest CFCS content areas and the place where everything you've learned gets applied. An investigation is the disciplined, objective process of turning a signal, a monitoring alert, a whistleblower tip, a suspicious activity report, a law-enforcement referral, a negative-news hit, into a defensible conclusion. The goal is not to assume guilt; it's to prove, disprove, or escalate a hypothesis using evidence, and to do so with an open mind that follows the facts wherever they lead.

A common exam distractor frames the investigator as a prosecutor out to convict, the correct posture is the neutral fact-finder. Over the next three lectures we'll cover methodology and intelligence, then evidence and interviewing, then public records and tracing the money. Let's start with how a professional thinks about an investigation.

Three terms get confused, and the exam separates them deliberately. Information is raw, unassessed material, a name, a transaction, a rumor, a tip, true or false, you don't yet know. Intelligence is information that's been collected, analyzed, and assessed for reliability of the source and relevance to the question, it tells you what the information likely means and how much weight to give it.

Evidence is material that can actually be used to prove a fact in a legal or regulatory proceeding, often subject to strict rules about how it was obtained, its authenticity, and an unbroken chain of custody. Treating unverified intelligence as if it were proven fact, or mishandling a document so it can't later serve as admissible evidence, are classic, case-killing mistakes. A specialist always knows which of the three they're holding, because that determines how they may use it.

Professional investigators borrow a structure from the intelligence world: the intelligence cycle. It runs from direction, deciding what you need to know and setting the requirement, to collection of relevant information from internal records and external sources, to processing and analysis that turns raw data into assessed intelligence, to dissemination, getting the right insight to the right decision-maker in a usable form. Then it loops, sometimes called feedback: the answers raise new questions and the cycle repeats.

The value of the cycle is focus, and it also respects the data-minimization and proportionality limits we met under privacy. Instead of hoarding everything and hoping, you define the question, gather only what answers it, and iterate. On the exam, when asked how to run an investigation efficiently, the structured, hypothesis-driven cycle is the right instinct, not a fishing expedition.

Good investigations are hypothesis-driven. You form a clear, testable proposition, for example, this customer's deposits are proceeds of an unregistered money-transmission business, and then you actively seek evidence that could disprove it, not just confirm it, the same falsification mindset a scientist uses. That discipline guards against confirmation bias, the trap of noticing only what fits your theory, and against anchoring on your first impression.

Consider innocent explanations too, the deposits might be a legitimate cash business, so you can rule them in or out. If the disproving evidence never appears and the confirming evidence mounts, your conclusion is strong and defensible. Throughout, you document your reasoning and sources at each step, because a financial-crime conclusion may end up in a regulatory file, a SAR narrative, an internal report, or a courtroom, and it must withstand scrutiny.

No investigation happens in isolation. Financial intelligence units, the national FIU that FATF Recommendation 29 requires every country to establish, sit at the national center, receiving suspicious activity reports, analyzing them, and disseminating intelligence to law enforcement and supervisors; in the United States that FIU is FinCEN. The Egmont Group, now linking more than a hundred and sixty FIUs, lets them exchange information securely across borders so a cross-jurisdictional scheme can be pieced together.

As an institutional investigator, you both feed this system, through clear, complete, well-written SAR narratives, and benefit from it, through typology guidance and feedback. So, recap: an investigation turns signals into defensible conclusions; distinguish information, intelligence, and evidence; run a structured, hypothesis-driven intelligence cycle that seeks to disprove; and remember the FIU and Egmont network you plug into. Carry one habit into every scenario: name what you are holding, information, intelligence, or evidence, before you decide what to do with it, because the right next step almost always flows from that classification.

Next, we cover evidence, interviewing, and source analysis. Test yourself first.