Anomaly detection should be standard procedure in your AML framework

April 26, 2022 General

Shutterstock 1013593135

Detecting instances that significantly differ from the rest of the group they belong to is the task known as anomaly detection. Humans are usually very efficient at spotting out anomalies visually or acoustically, a different colored sheep in a flock or a misplaced note in a melody, however they can have a very hard time doing the same with tabular data. While it might still be feasible to do so if the dataset is small enough such that it can by manually inspected, this becomes increasingly difficult for larger collections of data.

Financial crime is such an example where vast amounts of (transactional) data is processed in order to detect any criminal behavior. Traditionally, the industry uses business rules to detect possible forms of known criminal behavior. Since business rules are a catch-all solution they often also produce a lot of false positives which need to be checked manually in order to confirm whether it involves illegal conduct. With the advance of machine learning models the detection possibilities become more complex, however, the danger of tunnel vision is still afoot. In this blog we will explore a different type of financial crime detection that should help to deal with this.

Drawbacks of supervised machine learning

Even though models to detect criminal financial behavior are becoming more advanced and more innovative, criminals are also innovative and always adapting to circumstances. Despite the increase in complexity and all the technological benefits of machine learning techniques, these models are often supervised models and thus still bound by the conventional interpretation of financial crime. Although this works well to detect the existing forms of criminal behavior, it is incomplete and leaves the institute prone to missing any new developments. Supervised machine learning models, by definition, make use of historic labels to learn to recognize financial crime. These historic labels are often generated by the original existing business-rule framework of the institute. A framework that was designed to catch known patterns of criminal behavior. But what about the unknown patterns of criminal behavior?

Added value of anomaly detection

This is where anomaly detection makes its way into the conversation. Anomaly detection refers to unsupervised models which aim to detect unusual behavior, or anomalies. Anomaly detection models come in many forms and shapes and usually involve some sort of clustering. Typically an anomaly detection model starts by defining some computable quantity which is used to define how different a certain data point is with respect to the underlying dataset.

With respect to transaction monitoring, anomaly detection can help find unknown patterns of criminal behavior. Because it involves unsupervised techniques, it does not require any labels for training and will infer from the input data. This input data can be structured to fit any purpose. In order to find any anomalous cash or cross border transactional behavior, the input data would consist of features related to those topics. From the large amounts of transactional features the model would infer what normal cash or cross border behavior looks like. Subsequently, the algorithm will detect all behavior that does not match this normal behavior, and assign an anomaly score based on how different the observation is compared to the underlying dataset. These anomalies require manual inspection to determine whether the anomalous behavior is also criminal, or if it can be reasonably explained. In the cases that it pertains criminal behavior, it should be investigated whether this is a known pattern or potentially a new form of financial crime.

Combination is key

In order to improve the quality of alerts and to prevent an overload of manual labor, unsupervised models can also be combined with specific agent models. These agent models identify normal anomalous behavior, such as buying a house, and suppresses any alerts which can be linked to known anomalous behavior. This would filter out cases of known anomalous behavior and only leave the cases of unknown anomalous behavior. For these types of agent models, it is important that they identify cases of earlier anomalous behavior that was analysed and deemed legitimate. It is not the goal to identify suspicious behavior in itself. In time, this should produce a higher quality of alerts.

At RiskQuest, we see anomaly detection models as excellent tools to spot unusual customer activity in a high-dimensional feature space (i.e using and combining features in many different topics), complementing and supporting the business rule approaches and supervised ML models. Even though it is not directly a risk mitigant, it is an essential complementary tool in any financial crime detection framework to prevent tunnelling in on known patterns of financial crime.