What’s Been Cooking in the Conduct Risk Exchange? Rumors, Poaching, Holistic Alerts and Cybersecurity

Published On March 1, 2019

Behavox offers clients unrestricted access to the Conduct Risk Exchange (CRX), an online app store that allows users to download scenarios, reports, and widgets built by our team of in-house compliance experts, in collaboration with our clients, and updated regularly.

In each edition, Radar analyzes cutting-edge, effective CRX scenarios that have been applied to real data sets, to keep Behavox clients up to date with current market practice.


Speciality chip-maker Audience Inc.’s share price plunged 28 percent on January 29, 2013, after a flurry of tweets warned the firm was under investigation by the United States Department of Justice. The next day, research and drug development company Sarepta Therapeutics’ stock price dropped 16 percent after the market picked up information shared on Twitter about the firm being under investigation.

The tweets were false and came from James Alan Craig, a Scottish trader who created fake accounts to resemble the official accounts of two research firms, Muddy Waters and Citron Research. The rumors caused cumulative losses to shareholders of £1.1m and Craig was indicted by US prosecutors.

Behavox created a rumors scenario to detect market manipulation through false rumors. The scenario looks for communications where there are indications of rumors influencing people to act in a particular way. Rumors can be used in tandem with a spoofing scenario to more effectively surveil for various types of market manipulation.

The rumors scenario leverages natural language processing and machine learning technology to ensure Compliance users receive relevant alerts in the context of financial transactions and market activity. The algorithm utilizes machine learning to generate alerts specific to rumors with a business context. All this is combined with a collection of words and phrases to work across e-communications and voice data. The scenario is available in English or Spanish and will be extended to a number of other languages by the end of the year.


In February 2019, KPMG was accused of poaching 130 lawyers from French law firm Fidal. This trend is not limited to talented lawyers and is common in capital markets too, particularly amongst hedge funds.

The CRX team has developed a poaching scenario to detect instances where recruiters are contacting monitored employees to lure them away to competitors. It protects the company against competitors snatching talent the company has invested time and resources in. This scenario is not only of interest to human resources but also senior management and is customized for each client based on a list of its main competitors (an example can be email addresses or Bloomberg IDs).

Early detection of poaching is important for two reasons:

  1. Proprietary information and strategies are at risk when employees, privy to this intellectual property, are recruited into a direct competitor.
  2. Turnover bears heavy costs as companies invest significant time and resources in developing talent.

Badge swipes – holistic alerts

To detect when an employee is going rogue, a business will need proactive, holistic surveillance. There are often tell-tale signs that can expose potential fraud; erratic business hours is a common occurrence.

Consider the following: an employee in your company is planning to leave at the end of the week. He starts going into the office at 3am to print an unusually large volume of documents. No one is aware of this new behavior. If compliance officers spotted a red flag like this, proactive measures could have been taken.

The CRX team has developed a solution that can detect such patterns and behaviors. This scenario is called Holistic Alerts. The scenario monitors all structured data such as badge swipes to the trading floor, as well as printer logins and proxy logins. It marries unstructured communications, either verbal or written, with structured data. Using these two indicators the platform uses machine learning to identify the regular behaviors of employees and detects any potential deviations. The scenario can indicate the “usual behavior” for different offices. For example, going to work at 5 am may be the “norm” for another overseas office.


Cybersecurity scenarios ensure that the company isn’t leaking sensitive information such as restricted documents or contracts from within. An example shared passwords which could result in unauthorized access to internal systems. The CRX team has developed a scenario that monitors communications for the unauthorized sharing of passwords. The scenario searches for a set of letters, symbols, and numbers used with close proximity to the word “password” and for phrases that relate to the potential disclosure of a password.

The importance of guaranteeing an appropriate use of passwords only by authorized personnel is relevant for all businesses. In July 2016, a US court made it easier for employers to prosecute both current and previous employees for accessing computer systems without authorization. The ruling was made under the Computer Fraud and Abuse Act (CFAA) against the defendant, David Nosal, who used a password provided to him by his previous assistant at recruitment firm Korn-Ferry.

Another way of sharing unauthorized information is through communications with internal teams. Communications channeled to personal email accounts usually carry a higher risk. The personal email scenario detects emails sent to personal email accounts containing company documents. This includes personal domains such as “@yahoo, @hotmail, @gmail etc’’.

It has been observed that employees entering the last 45 days of their contract/leave date carry a higher risk of leaking unauthorized information. The scenario specifically monitors that scope of time.

The volume and timing of the communication could also be crucial in understanding whether an employee may be engaged in wrongdoing. The Behavox Model scenario detects if there is an abnormal increase in email flow with attachments to external domains/parties, while the Sensitive Documents Detection scenario focuses on emails that include attachments that either has an empty body or contain phrases that could indicate the unauthorized disclosure of information. Combined, they provide a comprehensive detection mechanism.

Behavox runs regular scenario workshops with its existing clients where they collaborate and compare notes on hit rates, success and trends in scenario adoption, as well as specifying new market practices that require new scenarios to be built with the Behavox Scenario Factory.

For further inquiries email Kateryna Yanovska: [email protected].