Anomaly Detection in Anti-Money Laundering Transaction Monitoring
In 2018, when we made the switch from transaction-centric detection system to user-centric detection, we were certainly right. There are clear advantages for risk analysis in using digital identities and focusing the analysis on users instead of transactions (without user context). The detection of suspicious users based on anomaly behavior is central to IdentityMind’s AML machine learning strategies.
To get to this point on the use of machine learning, we started by doing tons of work on our data architecture and capabilities such that we can start talking about graph intelligence. Then we built APIs that allowed us to reach to the graph intelligence data in real time (see video below), this proved fundamental to train our risk and AML machine learning models.
This article is the continuation of a previous post we wrote about the use of anomaly detection for detecting risk associated with individuals using a statistical technique called Inter Quartile Range (IQR). We noted at the end that further work involving the use of anomaly detection based on our Electronic DNA (eDNA™) technology was coming.
Last month we published our white paper for the use of our Graph Intelligence and its specific application to money laundering and risk.Download Our Graph Intelligence White Paper
In this article we elaborate on the anomaly detection aspects of the Graph Intelligence, and how machine learning on digital identities and more specifically our eDNA™ is a powerful anomaly detection tool.
It is worth mentioning that we continue to be focused on the applicability of machine learning for AML in practical ways that your risk and compliance team can actually use in their daily operations.
AML Machine Learning and Anomaly Detection
It is not the intent to write an academic paper but it is important to note that there are several well-known techniques for machine learning based anomaly detection. These techniques include Clustering and Support Vector Machine. All well documented in the literature.
As we were developing our own detection models we found that a Gradient Boost Machine (GBM) gave us excellent results for accurately finding fraud and suspicious behavior. In simple terms, GBM technique has good results in finding “what to look at” when the data sets are unbalanced. Such is the case in large transactions environments where the large majority of the data is good, and only few cases are bad. It is quite appropriate, then, to find suspicious activities in financial transactions.
IdentityMind Intelligence Graph Approach
The identity graph, as we have documented (many times) before, is a digital representation of users’ identities: in other words your clients, the ones that perform transactions. This is relevant because in order to monitor transactions you need a clear depiction of who the user (or users) is associated with the transaction.
Digital identities have been recognized fundamental for proper anti-money laundering. FATF (Financial Action Task Force) published last November their draft guidance in the use of digital identities. It is expected that digital identity approaches will become an integral part of their recommendations, and therefore likely to become part of the regulatory framework of those jurisdictions associated with FATF.
The application of GBM on our identity graph uncovers those users whose identity graph are anomalous when compared to normal users graphs. The question then becomes how to correlate suspicious activities in the AML sense with anomalous identities.
The image below is an application of the GBM in finding suspicious transactions (orange) vs good transactions (blue). This particular model was constructed based off fraudulent activities and their correlation to their identity graphs.
There are two very specific ways to use the graph score that results out of the graph intelligence: 1) It highlights users you need to be looking at; 2) It prioritizes suspicious activity alerts.
Users You Need To Look At
If you have a user that is presenting an anomalous identity (in the world of IdentityMind a graph score below 70) you need to look at it. Machine learning is telling you that such identities are different enough from the norm and similar enough to identities that have been associated with problematic activities. As with any supervised machine learning methodology your assessment of the transactions associated with such identities is fundamental for the methodology to continue to learn. Human input, especially when coming from highly trained individuals, is paramount for accurate results in a supervised machine learning methodology. Within the IdentityMind we call them “tags” and your analysts can use them through the User Interface or through the APIs.
The primary practical use for machine learning techniques at the moment is, really, its ability to prioritize what your analysts need to deal with. Automated systems issue several alerts and it is important for efficiency purposes that they look at the most important first, meaning the ones that are more concerning, and perhaps more likely to end up with you filing a SARs. Graph intelligence score allows you then to rank your alerts based on the risk of the identity or identities involved in the transactions associated with your alert. Your analysts should probably look first at those that have the highest risk scores (though in our case a lower score is actually higher risk).
The Road to Operational Efficiencies
Technology is better when used to improve your day to day. Transaction monitoring can be daunting with the high potential number of alerts. Knowing what to address first in those cases is fundamental to efficient operations. Anomaly detection techniques are good, very good, to help your team focus on the things that matter. Both, statistical techniques, like IQR, and machine learning, like Graph Intelligence, highlight the important users and activities to focus your efforts.
The IdentityMind platform continues to build capabilities to make your compliance operations efficient.