Financial crime event triage: Using the power of contextual analytics

Corey M. Cardine; Charlotte Pople, CAMS; and Haibo Zhang, Ph.D., CAMS
8/11/2020
Financial crime event triage: Using the power of contextual analytics

Financial institutions face increasingly complex financial crime threats, dramatically higher operating costs, and greater regulatory expectations. This combination of factors is driving a need for contextual analytics, which can help transform financial crime programs by helping them become more effective and efficient and, ultimately, provide law enforcement with better information.

The benefits of contextual analytics

Contextual analytics applies advanced analytic techniques including machine learning and artificial intelligence to both internal and external data to bring context to events happening within financial institutions. That context makes true financial crime traces readily discernable.

Contextual analytics uses a data-driven systematic study of the internal and external circumstances that surround the focal entity of an event, such as a transaction monitoring (TM) event. Contextual analytics takes advantage of big data, machine learning, contextual scoring, predictive modeling, network scenarios, analysis and visualization, entity resolution, and natural language processing to provide more insights into the activity occurring in a financial institution’s network.

Currently, transaction monitoring systems (TMS) generate an excessive amount of noise, or alerts that are explainable and do not warrant human investigation. By treating all activity generated by a TMS as an event and continuously reevaluating these events as part of a triage process rather than moving directly to alert and, therefore, investigation, financial institutions can shift to a truly risk-based event assessment process. 

Event triage process

Initially in a risk-based assessment, all events are put into a hibernated state where they will be continually evaluated. The evaluation focuses on the relative likelihood that any new event, within the context of all historical related internal and external events, represents normal behavior for the entity. This triage is performed daily and involves a three-step process:

  • Step one. Hibernation puts an event into a holding state for continual reevaluation with new context that occurs. The event is not suppressed and is only auto-closed once its usefulness expires.
  • Step two. Expiration is the application of analytical context to determine when an individual hibernated event has reached the end of its usefulness regarding evaluation of new events. Expired events automatically are escalated to alerts and follow an auto-closure process that provides feedback to the overall triage process.
  • Step three. Escalation is the application of analytical context rules and scoring based on the financial institution’s risk appetite for the event to determine if the probability of an event being normal behavior is not within a predefined risk appetite. Context is based on the evaluation of available internal historical and external information related to the focal entity. All related events are escalated as alerts along with the enriched context related to the entity and escalated as a single case for further investigation.

 

Event triage can help eliminate noise from a typical transaction monitoring life cycle. As demonstrated in the exhibit, event triage fits between transaction monitoring and the case management system. The differentiation between event, alert, and case then becomes important.

  • Event. An event is the output of any internal or external activity in the anti-financial crime life cycle, such as a know your customer (KYC), customer due diligence, enhanced due diligence, or other data change, a transaction monitoring scenario trigger, adverse media, a politically exposed persons or sanctions hit, or a network relationship change.
  • Alert. An alert is an event that breaks critical escalation rules or has a context score that exceeds a predefined risk threshold. The alert requires human review and investigation to determine suspicion.
  • Case. A case is a container for alert investigation workflow, adjudication documentation, and regulatory reporting. Results provide feedback used to optimize the financial crime detection process.

The exhibit demonstrates how each part of the transaction monitoring life cycle flows from one step to the next. It also shows how event triage functions within that life cycle and how it interacts with alert and case preparation.

Exhibit: Event triage within the transaction monitoring life cycle

Exhibit: Event triage within the transaction monitoring life cycle
Source: Crowe analysis

Implementing contextual analytics

An event triage (ET) solution is a system-agnostic, cloud-based solution that quickly can integrate into a financial institution’s TM life cycle to provide a platform for continuous reduction of noise. Prior to implementation, simulations can be conducted on historical data to demonstrate the efficiency of event triage. The micro services-based architecture allows for continuous improvements to the underlying contextual analytics that can be implemented using the ET solution.

Escalation of hibernated events to alerts and cases for investigation at the appropriate time based on new context is the most critical function of event triage. Escalation can be executed through a variety of control methods including but not limited to:

  • Rules. Using rules with simple if-then logic as well as rules with underlying complex analytical context model input can support the escalation of hibernated events at the correct risk-based time for investigation.
  • Scoring model. Predictive models based on the probability of the event as good behavior can be compared to risk-based thresholds.
  • Change in behavior. A deep analysis (compared to traditional TMS change in behavior (CIB) rules) of the degree to which CIB compared to an entity’s previous behavior, peers, and nearest neighbors can help differentiate normal from abnormal behavior for an entity.
  • Network analysis. Understanding the relationship between entities can expose how a bad actor in a network is using other entities and the institution’s financial networks.
  • Alert scoring and case routing. Once events are escalated to alerts and cases, models can be used to evaluate the probability of suspicion and determine what type of typologies (known and unknown) are being used for prioritization and routing to the most appropriate investigation teams.

An effective event triage solution uses all the escalation methods discussed above and is configured to align to an organization’s risk appetite.

Risk mitigation

In effect, event triage automates the manual process of a level one reviewer. Therefore, to mitigate risk, it needs to encompass all the processes included within the policies and procedures set forth by the financial institution. Event triage can include escalating an event regardless of how normal it appears if, for example, one or more of the following exist:

  • External adverse media on the entity
  • A new internal manually created case on the entity
  • A previous suspicious activity report filed in a predefined time period
  • No previous investigation on that entity in a predetermined amount of time

Additionally, the performance of the triage model should be continually reviewed through evidence-based documentation, sampling (automatic escalation of random events for investigation), and extensive review of key performance indicators. Such review can confirm the appropriate escalation throughout the triage process. Any hibernated events that should have been escalated should be thoroughly reviewed to provide feedback to the triage model.

Migrating to an event-triage approach

Event triage can bring immediate and continuous reduction of noise to traditional transaction monitoring systems. However, in addition to noise in TM, the entire financial crime detection process generates false positives in name screening and KYC reviews. By treating all activity generated as an event and continually evaluating all events as part of a triage process, financial institutions can migrate to a risk-based, event-driven, holistic anti-financial crime program.

Glossary

  • Alert: An event that breaks critical escalation rules or has a context score exceeding a predefined risk threshold and requires human review and investigation to determine suspicion
  • Analytical context: The data-driven systematic study of the internal or external circumstances or facts that surround events using big data, machine learning, contextual scoring, predictive modeling, network scenarios, analysis and visualization, entity resolution, and natural language processing
  • Anti-financial crime life cycle: The systems, controls, and processes to prevent, detect, and deter financial crime
  • Case: A container for alert investigation workflow, adjudication documentation, and regulatory reporting, the results of which provide feedback used to optimize the financial crime detection process

 

  • Event: The output of any internal or external activity in the anti-financial crime life cycle
  • Focal entity: The entity (customer or customer’s customer) that triggers an event, regardless of source
  • Network scenarios: Financial crime typologies built on top of network analytics
  • Network visualization: Rendering output of network analytics in a way that aids data scientists and investigators in the navigation of underlying data based on time and relationships
  • Typologies: The various techniques used to launder money or finance terrorism

Contact us

Charlotte Pople
Charlotte Pople
Haibo Zhang
Haibo Zhang
Managing Director