Implementing contextual analytics
An event triage (ET) solution is a system-agnostic, cloud-based solution that quickly can integrate into a financial institution’s TM life cycle to provide a platform for continuous reduction of noise. Prior to implementation, simulations can be conducted on historical data to demonstrate the efficiency of event triage. The micro services-based architecture allows for continuous improvements to the underlying contextual analytics that can be implemented using the ET solution.
Escalation of hibernated events to alerts and cases for investigation at the appropriate time based on new context is the most critical function of event triage. Escalation can be executed through a variety of control methods including but not limited to:
- Rules. Using rules with simple if-then logic as well as rules with underlying complex analytical context model input can support the escalation of hibernated events at the correct risk-based time for investigation.
- Scoring model. Predictive models based on the probability of the event as good behavior can be compared to risk-based thresholds.
- Change in behavior. A deep analysis (compared to traditional TMS change in behavior (CIB) rules) of the degree to which CIB compared to an entity’s previous behavior, peers, and nearest neighbors can help differentiate normal from abnormal behavior for an entity.
- Network analysis. Understanding the relationship between entities can expose how a bad actor in a network is using other entities and the institution’s financial networks.
- Alert scoring and case routing. Once events are escalated to alerts and cases, models can be used to evaluate the probability of suspicion and determine what type of typologies (known and unknown) are being used for prioritization and routing to the most appropriate investigation teams.
An effective event triage solution uses all the escalation methods discussed above and is configured to align to an organization’s risk appetite.
Risk mitigation
In effect, event triage automates the manual process of a level one reviewer. Therefore, to mitigate risk, it needs to encompass all the processes included within the policies and procedures set forth by the financial institution. Event triage can include escalating an event regardless of how normal it appears if, for example, one or more of the following exist:
- External adverse media on the entity
- A new internal manually created case on the entity
- A previous suspicious activity report filed in a predefined time period
- No previous investigation on that entity in a predetermined amount of time
Additionally, the performance of the triage model should be continually reviewed through evidence-based documentation, sampling (automatic escalation of random events for investigation), and extensive review of key performance indicators. Such review can confirm the appropriate escalation throughout the triage process. Any hibernated events that should have been escalated should be thoroughly reviewed to provide feedback to the triage model.
Migrating to an event-triage approach
Event triage can bring immediate and continuous reduction of noise to traditional transaction monitoring systems. However, in addition to noise in TM, the entire financial crime detection process generates false positives in name screening and KYC reviews. By treating all activity generated as an event and continually evaluating all events as part of a triage process, financial institutions can migrate to a risk-based, event-driven, holistic anti-financial crime program.