The release of our 2.0 platform in June marked a fundamental shift in our approach to the detection and analysis for uncovering suspicious activities, as applied to both anti-money laundering (AML) and fraud prevention. We at IdentityMind moved from a transaction-centric to a user-centric platform, focusing on users and their digital identities.
As part of this shift, we started to work on analytics that would discover anomalous behaviors from a user perspective, since changes in user behavior are indicative of risk. There are several techniques, mostly based on statistical analysis, and the results vary in terms of false positives and negatives. As with everything in risk analysis, there are no silver bullets. No single technique is sufficient, and they are best used in combination. Anomaly detection is one such tool in the risk detection toolbox.
We are going to focus on one technique in particular in this article: IQR or Interquartile Range, and cover how it can be used to detect user behavior changes based on historical statistical analysis.
Anomaly Detection for Risk and Compliance
Anomaly detection is an umbrella term for statistical methods used to identify anomalies amongst expected patterns of data over many applications. Understanding anomalies not only helps an analyst discover what caused the anomaly, but also provides clues as to how to predict (and prevent) future ones.
Let’s put this into our context. Criminals who need to launder money, say from drug trafficking proceeds, may move vast sums of money between accounts of a financial institution, in order to obfuscate the origins of the funds. Such transactions may appear normal individually, but constitute suspicious behavior when looked at in aggregate. Anomaly detection can help detect these cases.
When it comes to financial transactions, individuals generally behave consistently over time. One can construct a profile of what “normal” behavior is for a particular individual. Substantial deviation from this pattern, uncovered by behavioral analysis, could indicate something is amiss. For instance, this account could have been taken over by a criminal, who then uses the account for money laundering activities.
Anomaly detection methods are a starting point for AML transaction monitoring and risk detection. Depending on the risk profile of the customer, the organization can tune the sensitivity of the detection method appropriately.
IQR – Interquartile Range
IQR is one way to define the boundaries of “normal” behavior for behavioral analysis. The IdentityMind platform evaluates users’ movement of money (peer to peer transfers, deposits, withdrawals, remittances) at varying frequencies through a network of accounts. Using IQRs of several behavioral metrics, we can establish baseline activity for the majority of users: how often they transact, how much money passes through their accounts, where their money goes, who they transact with, etc
Baselines indicate what is expected behavior, and so make it easy to detect anomalies that fall beyond the IQR. There has been specific research on using IQR as an effective methodology for autoregressive-based outlier detection, and its applicability in AML transaction monitoring.
IQR can be visualized in box plots, where outliers are easily identified for further investigation. Additionally, it can be utilized in a real-time monitoring system, where alerts are triggered when a record falls outside of the IQR.
|Horizontal box plots of a behavioral metric for 3 users (names sanitized). The box plots encompass a year’s worth of historical data for each user. The boxes illustrate the IQR while the whiskers that extend from the left and right of the boxes represent the threshold (with respect to IQR) for outliers. If a value falls within the range of the box and whiskers, it is not an outlier (green). If a value lands outside the range, it is an outlier and can be isolated for further investigation or action (orange).|
IQR in the IdentityMind Platform
Rules to highlight users’ anomalous behaviors (that is, the outliers) are available within our AML policies. An alert based on these IQR rules can, in conjunction with other alerts, generate a context-rich alert for compliance officers, aiding their understanding of the user’s behavior.
The IQR looks at the aggregated volume of transactions over a period of time and establishes a maximum and a minimum based on a deviation from the interquartile values. Values above the maximum and below the minimum can be set to trigger alerts.
In the IdentityMind platform, the period of time and the deviation to measure minimums and maximums are configurable, along with the standard severity of the alert. For example, a strong deviation may trigger a critical alert while a minor deviation can be informational.
In the above configuration the IQR is calculated based on a four-month period and the maximum and minimum boundaries are based off a deviation of 1.5. So any aggregated transfer value in a given month that is over the IQR value plus a 50% deviation will trigger an alert with a severity of Warning.
- The alert configuration is broken apart by the transfer activity. The IdentityMind platform can model transfers of money into the organization’s system (e.g. deposits — ‘transfer in’), out of the organization’s system (e.g. withdrawal, transfers from a digital wallet into a bank account — ‘transfer out’), and by the sender or receiver of the transfer.
- Each type of alert can have different conditions with different severities.
IQR calculations are performed once a day for every user, and alerts are generated if and when the rules are triggered. The IQR alerts are displayed in the ‘user with alerts’ interface, alongside any other alerts associated to that user.
The interface provides further analysis capabilities for detailed investigation by showing the details of the transaction which generated the alert.
Additionally, it presents the aggregated transaction values in a simple table broken by type, with the IQR values and limits, highlighting violations based on the configured settings.
Prioritizing with IQR
IQR can be utilized to inform the priority in which analysts review all alerts. The IdentityMind platform assigns a score to every user based on changes in their behavior, whether it triggers an IQR alert, or another anomaly detection rule. In this way, users that are presenting other types of alerts (non-IQR) can be processed together, with the IQR severity helping to prioritize analysts’ work.
Beyond the Spreadsheet
A very basic implementation of IQR can be achieved through off-the-shelf spreadsheet products (e.g. MS Excel, Apple Numbers) and using their version of the “quartile”. However, the applicability of spreadsheets for transaction monitoring is very limited.
In particular, limitations in scope and scale pose problems down the line when scrutinized by auditors and regulators. Scale tends to be one of the first challenges spreadsheets struggle with — the IdentityMind platform handles millions of transactions on a daily basis and can compute more granular data quantas than a spreadsheet.
Establishing true baselines and outlier behaviors requires a large range of data analysis. The more data is analyzed, the more accurate the results are, and the easier it becomes to compare across clusters of behaviors, making the outlier calculations more cost-effective.
Coming Soon: Improving IQR
As we have mentioned before, the use of IQR is important to highlight outlier behavior, but not every outlier behavior is risky. The IdentityMind platform enhances the use of IQR by also looking at peer behavior, business dynamics, and the risk factors of the digital identity itself.
- Peer Behavior. There are certain characteristics that may be indicative of types of behaviors that are shared by many users and are therefore not necessarily considered risky. For example, users that transfer money overseas tend to send more money on holidays, so looking at other users in the same regions (e.g. corridors) may indicate that it is a behavior shared by other users.
- Business Dynamics. It is normal for many organizations to offer levels for their users. For example, a ‘silver’ user may be able to transfer up to a certain amount of dollars, but a ‘gold’ user may be able to transfer double that. While transitioning from silver to gold, a user is expected to behave differently and therefore should not be considered as an outlier. Being able to inform IQR with these dynamics is important to remove false positives.
- Digital Identities. A unique feature from the IdentityMind platform is its representation of users as digital identities. The eDNA associated with every digital identity has an identity graph representation that depicts the individual user and how it interacts with other digital identities. There is a direct correlation between the complexity of the graph and the risk of a transaction. By looking at identity graphs with similar constructs, it can inform if the outlier behavior is normal or not for such identity graphs.
Conclusion: Regulators. Results, and Transparency
The use of big data analytics, artificial intelligence, machine learning and other analytics is becoming more prevalent. Regulators are getting acquainted with these technologies and their results. While no fully automated system will be blindly accepted by regulators in the foreseeable future, these technologies are starting to prove indispensable to lowering the operational cost of anti-money laundering compliance. Therefore, the key is transparency. How well can you demonstrate that the alerts generated by this type of analysis makes sense?
The visibility of the IdentityMind platform is fundamental to show examiners that the data clearly indicates anomalous behaviors. The IQR table can clearly indicate outlier behavior. The use of the IQR severity score can help build a story about the implementation of a risk-based approach. The clarity of the AML rules and how these are applied to the different functions of movement of money allows for discrimination and separation of offenders.
The IQR implementation within the IdentityMind platform is a comprehensive and cost-effective operational tool for achieving AML compliance.