Apply Data Visualization Technology for Fraud Analysis

8/8/2019 Apply Data Visualization Technology for Fraud Analysis

1/37

COPYRIGHT 2010 CENTRIFUGE SYSTEMS, INC. ALL RIGHTS RESERVED - PROPRIETARY

WWW.CENTRIFUGESYSTEMS.COM 571-830-1300TO LEARN MORE ABOUT CENTRIFUGE SYSTEMS, VISIT CENTRIFUGESYSTEMS.COM OR CALL 571-830-1300

COPYRIGHT 2010 CENTRIFUGE SYSTEMS, INC. ALL RIGHTS RESERVED

Data Visualization techniquesfor frauD analysis

a white paper by centrifuge systems, inc.

the freeDom to eXplore


2/37


WWW.CENTRIFUGESYSTEMS.COM 571-830-1300

01 the freeDom to eXplore

Abot Centife

Centrifuge Systems is a leading provider of data visualization software that

helps organizations discover insights, patterns and relationships hiddenin their data. The unique Centrifuge approach allows users to ask open

ended questions of their data by interacting with visual representations of

the data directly.

Traditional solutions require users to dene what they want to see in

advance and present the results in static dashboards. With Centrifuge,

users determine what is of interest on the y, then manipulate the displays

directly in a highly interactive fashion. The experience is refreshingly easy-

to-use and the resulting insights can be extraordinary.

Centrifuge is used in some of the most demanding applications in the

world, including counter-terrorism homeland defense, to help analystsidentify hidden meaning in their data and communicate those results to

other team members.

Notices

Centrifuge Systems, Inc. makes no warranty of any kind with regard

to this material, including, but not limited to, the implied warranties of

merchantability and tness for a particular purpose. Centrifuge Systems

shall not be liable for errors contained herein or for incidental, consequential,

or other indirect damages in connection with the furnishing, performance

or use of this material.

Data Visalization Techniqesfo Fad Analysis

A white pape by Centife Systes, Inc


3/37



eXecutiVe summary ............................................................................................................3

introDuction .........................................................................................................................4

the frauD management process .................................................................................5

inVestigatiVe analytics ...................................................................................................8

techniques for frauD analysis ................................................................................. 10

phase 1: Data preparation anD Data connectiVity ................................. 10

phase 2: initial Data analysis ........................................................................... 16

phase 3: aDVanceD analysis & iDentity Visualization .......................... 21

phase 4: annotation, collaboration & presentation ............................ 32

conclusion ...........................................................................................................................34




4/37



Exective Say

Today more than ever, fraud investigators are faced with unprecedented challenges asthey attempt to accurately identify fraud and money laundering activity. Investigatorsare asked to operate in shrinking windows of time, while the volume and velocity of datapouring in grows exponentially. Over the past few years, most of the innovation in analyticshas been in the area of automated information analysis. These techniques remove theanalyst from the equation and attempt to reveal all relevant insights automatically. Wehave found that in most investigative processes, the single most important component ishuman judgment. So the question is Where is the analyst-centric innovation?

One approach that has proven highly effective in this environment is called InvestigativeAnalytics. Investigative Analytics is a human-focused approach to analyzing large

amounts of data. It is based on the three modern innovations in analysis: interactivedata visualization, unied data views and collaborative analysis. Through InvestigativeAnalytics, an investigator can take control of the process while applying her trainingexperience and judgment to discover hidden relationships and insights across data. Withthis approach, the analysts brain serves as the ultimate pattern recognition machineand the technology opens up the potential for unconstrained analytical power. Whenan investigator detects something relevant, inferences are drawn almost immediatelySuspicious relationships are investigated and conrmed. The result is accurate identicationan essential by-product of the investigation which positively impacts detection, reporting

and issue resolution.

Eistin investiative anasis pdcts n te aket fa st in f ke aeas.

+ Too hard to use

+ Too static (lack interactivity)

+ Too disconnected

+ Too isolated (lack collaboration)

Next generation products must address these shortcomings and allow investigators torapidly assimilate important facts, detect hidden relationships, socialize results with othersand act on knowledge uncovered during this process. The need for this technology hasnever been greater than it is today. This paper explores this subject in depth while alsoproviding a recipe for performing investigative analytics. At a time when the reputationof nancial institutions is at stake and regulatory compliance standards are dramatically

increasing, effective next generation approaches could not be more relevant.




5/37



This paper is divided into three sections. In section 1, we dene the Fraud ManagementProcess. Section 2 summarizes the three key components of the Fraud Identication phaseof the process. Section 3 is dedicated to the techniques used to identity fraud.Intodction

If you have ever visited the FBIs web site (www.fbi.gov) and clicked on What WeInvestigate, you will notice at least ten different types of fraud from telemarketing tomortgage to insurance and others. You will see cyber crimes, network intrusion, identitytheft and other criminal activities listed. Diving deeper, you will notice that each type offraud has different schemes (market manipulation fraud, foreign currency fraud, internetpharmacy fraud and hundreds of others). Each scheme is quite elaborate; some have beenaround for over 100 years and others have become prevalent in the last 100 days.

Fraud is common. The schemes change rapidly, often to throw investigators off the scentwhile more elaborate schemes are put in place. As internet usage has exploded, consumershave become comfortable with e-commerce transactions and people have ocked to socialnetworking sites, a fertile breeding ground for fraud, identity theft, money laundering andcyber crime. Fraudsters like to remain anonymous and what better way to do that thanthrough the World Wide Web? Lets examine some interesting facts:

The FBI reports losses totaling $40 billion for securities and commodities fraud in2006.1

The number of mortgage fraud Suspicious Activity Reports (SARs) led with the FBIrose from 5,600 in 2002 to over 37,000 in 2006.2

According to the Centers for Medicare & Medicaid Services, national healthcareexpenditures topped $1.3 trillion in 2000. Although the exact amount of healthcare fraudis difcult to determine, estimates range from three to ten percent, thus translatinginto staggering amounts of money lost to fraud.3

Large international banks have recently been ned $65 million for latent ling of SARs,$80 million for not meeting regulatory requirements to prevent money laundering and$32 million for the same reason. In some cases, regulatory agencies have cited a lackof nancial intelligence as part of the reason for the nes.

Recently, 41 million credit card and debit card numbers were stolen through cyberbreaches at retailers as hackers sat in vans outside major retail establishments andhacked into servers which were supposedly secure.

This is a massive problem that only seems to be getting worse.




6/37



What is the Challene?

Fraud and money laundering pose real problems for investigators:

NoT ENough TImE

Investigators are asked to do more with less in an attempt to accurately identify fraud

before it is too late. But too often the crime has been committed, the perpetrators cant be

found and the money is gone. Government regulations also create a need for investigators

to identify and report problems quickly.

ExISTINg TEChNology IS lImITED

Not only are current tools difcult to use, they often limit the breadth of the investigation

by constraining the analysis to a pre-determined set of data and operations. To effectively

leverage an investigators expertise, next generation solutions need to allow investigators

to operate at the speed of the human brain and pursue lines of inquiry on the y.

NoT ENough CollAborATIoN

Investigative analysis is a lonely function in most organizations. Even in some of the most

well known nancial institutions, business lines and investigative groups assigned to those

business lines are separate. With credit card transactions separate from ATM transactions

and both separate from mortgage loans, it is very difcult to connect fraudulent activityacross these systems.

CANT SEE ThE WholE PICTurE

It is very difcult to identify fraud without comprehensive access to all relevant data.

Typically, the data is spread out across transaction monitoring systems, account activity

customer proles and historical silos. If investigators dont have a 360 degree view of

what is going on, fraud can go completely undetected.

The Fad manaeent Pocess

Lets look at the essential steps in the fraud management process to better understandwhere the process breaks down.

Fad anaeent is tpica divided int f staes:

1) Detection

2) Identication

3) Regulatory Reporting

4) Issue Resolution




7/37



In a perfect word, the process would unfold as follows: The detection process

includes all relevant transaction monitoring systems so that alerts from each

line of business may be analyzed together. Automated rules are applied to

detect suspicious activity. When conditions match these pre-existing rules,

alerts re off and notify fraud investigators that something suspicious is

taking place. The investigators are then charged with investigating thesecases that have been agged. This is the key step. The investigator leverages

all available data, and her own domain knowledge and expertise, to determine

if this case does in fact represent fraudulent activity. If so, a report is lled

The criminal activity is then pursued in conjunction with federal and loca

authorities and resolved as quickly as possible. Ideally, accurate identication

by the investigator is fully documented and meets regulatory requirements

Unfortunately, this perfect world doesnt exist.

One could argue that most critical step in this process is Step 2, identication

Better stated, the most critical step is accurate identication by the investigator

By improving this step, all of the other steps can be positively impacted. Lets

analyze this in more detail. If the investigator can accurately identify fraud

from thousands of alerts, she can provide a feedback loop into the alerting

process to improve detection over time. As the investigator learns more, the

rules get better and the job becomes more focused by virtue of the fact that

accurate detection is in place. Similarly, accurate identication leads to accurate

reporting which leads to more effective utilization of resources in the last step

issue resolution. All of this translates to less risk for the business on many

levels. There is lower risk of non-compliance, lower risk of nes, less risk o

negative publicity and more positive awareness that the business is managing

risk in a manner consistent with consumer and organizational expectations

Accurate identification is

the most critical step in the

fraud management process.

It can positively impact

detection, reporting and

resolution.

Fraud Management Process




8/37



Investiative Analysis sin Data Visalization

So, the identication phase is arguably the most important phase of the fraud management

process. This phase encompasses real investigative analysis and has the potential to

positively impact the other phases. It is also the weakest component of most existing

analytical solutions. Lets summarize three emerging technologies that can signicantly

improve the investigative analysis effort.

1. Interactive Data Visualization

2. Unied Data Views

3. Collaborative Analysis

1. Inteactive Data Visaizatin

Data visualization is getting a lot of attention today. This is the use of visual metaphors to

enhance our ability to detect patterns in data. Interactive Visualization takes this further

and allows us to interact with the visualizations directly to ask follow up questions and

pursue a line of inquiry. This has proven to be very effective at allowing investigators

to navigate through, explore and understand massive amounts of data. We nd that

when we see something relevant, we draw inferences almost instantly allowing the

investigator to work at the speed of the human brain. This is very different from the

static charts that most tools provide today. When used effectively, the resulting insights

can be remarkable.

2. Unifed Data Views

Accurate identication depends on having access to all relevant data pertaining to

the investigation. Since important facts exist in disparate systems, the ability to access

these data sources without extensive integration and programming efforts is critical.

Internal data used in the investigation represents one important class of information.

Increasingly, third party data, news wires, blog posts, network trafc, historical information

and many other sources are equally important. Providing the investigator with the ability

to easily reach out to these sources from within the investigative framework is extremely

powerful. The absence of this capability often yields an incomplete investigation.

A common complaint is that the investigator needs to go out to multiple tools to get a

comprehensive view of the case. This can be tedious and highly disruptive to a particular

line of reasoning. The ability to create unied views of the disparate data is a powerfu

paradigm for visual analysis. Unied views allow us to shift our lens. For example,

we could move from a quantitative to a relational to a temporal view of the same data

very quickly. This allows investigators to validate ndings and eliminate false positives

very quickly.




9/37



3. Caative Anasis

Business professionals have leveraged the power of collaboration technology to increase

productivity and foster the exchange of ideas for quite some time. This needs to be

applied to fraud and AML investigations. Since investigators are assigned cases, and many

of these cases are interrelated, it stands to reason that if investigators can collaborate,

notify each other of important ndings and publish results for review, they can solve

cases faster while also improving the accuracy of the identication process. The ability to

document the results of the investigation for audit purposes is also very important especially

in the area of compliance and regulation. Knowing exactly what steps the investigator took

in the analysis process to arrive at a conclusion is useful for audit purposes, training, and

notifying other investigators who may have similar types of cases to solve.

Automatically notifying others in the organization that results are available for review can

dramatically speed up investigations leading to shorter windows for criminal activity to

occur Saving the results of the analysis to document key ndings in the investigation

is very important. These analytic assets need to be protected, archived, retrieved when

needed and used to meet compliance requirements.

Investiative Analytics

These three improvements comprise the pillars of Investigative Analytics. IA is a fraud

analyst-centric approach to analyzing and understanding data in support of accurateidentication. It is based on highly interactive visualizations that allow users to rapidly

comprehend and act on large amounts of data. This remarkable approach empowers

investigators to apply their domain knowledge and experience while exploring al

relevant data in a particular case.

Investigative Analytics holds great promise for quickly and effectively detecting potentia

fraud schemes. This approach allows the investigator to ask questions of the data (who,

what, why, where and when) and explore relationships between individuals, banks,

accounts, phone records, e-mail records or other relevant data regardless of where it

resides.

This approach is very different from other analytical techniques that are currently appliedToday, investigators are largely dependent on rst generation business intelligence

products which produce static dashboards that may describe the problem but dont allow

the investigator to interact with the data in an unconstrained way. By way of example, cyber

investigators focused on detecting network intrusion may have access to dashboards which

reveal leading indicators of suspicious activity such as spikes in e-mail activity to specic

IP addresses with attachments over a certain le size. These indicators suggest a potentia

malicious attack where the attacker is trying to establish a presence on a network server




10/37



followed by the installation of some form of malware which could scrape credit card

numbers. The problem is, the investigator needs much more than leading indicators of

the historical attacks if they are to identify and thwart the new attacks. She also need to

leverage the collective domain knowledge of the team through rich collaboration.

Statistical analysis (and predictive analytics) is another class of analytics which uses

statistical techniques ranging from simple correlations to complex neural networks in

an attempt to predict or forecast a specic outcome or behavior. For example, given the

right amount of input data, an analyst could build a model to predict that mortgage fraud

through inated home appraisals is about to take place and the loss amount will exceed

a specic dollar value.

While these techniques can work successfully, they suffer from a number of inherent

weaknesses and should be used in conjunction with Investigative Analytics. They require

a deep understanding of statistical modeling and data transformations. Additionally,

since models require historical data to accurately predict the future, the accuracy of the

models depends on having sufcient data.

The results of investigative analysis should be easy to understand, clear and concise and

easily transferable to others involved in the case.

Techniqes fo Fad Analysis

Techniqes fo Fad Analysis

Four phases of fraud analysis are discussed below. They represent important phases

when trying to identify fraud. Results from these phases are often integrated with case

management technology, rules based systems to rene alerts and predictive analytics

technology. Techniques presented below have been organized into these phases:

1) Data Preparation & Data Connectivity

2) Initial Data Analysis

3) Advanced Analysis & Identity Visualization

4) Annotation, Collaboration & Presentation.




11/37




Phase 1: Data Pepaation & Connectivity

Data preparation and data connection are essential rst steps in fraud analysis. When

done properly, they provide a foundation for your analysis later. This phase provides

a basic understating of the data and allows the analyst to unify disparate sources of

data. Fundamentally, these two processes streamline the analysis stages that follow. The

primary components of this phase include:

+ Connect to data sources and integrate essential data for analysis

+ Inventory data sources and determine what you have to work with

+ Identify gaps and anomalies in the data

+ Pre-process the data to select segments required in the analysis+Transform the data by creating new data elds and modifying eld types

+Dene Dataviews for later use in data proling and advanced data visualization

More and more data is becoming available for analysis every day. The need to easily

connect to these sources and unify them is essential if the fraud analyst is going to

successfully connect the dots between pieces of data in different sources. This case

study uses 4 sources of data:

1) Fraud Alerts across different business lines in a bank

2) Financial data on banking transactions and account ofcers

3) National identity management databases4) Independent watch-lists

Joinin Data

With so many data sources available for analysis, the process of integrating the data

allows analysts to thoroughly and accurately investigate cases. Joining different data

sources involves indicating where the data resides followed by linking disparate sources

based on a common key (a unique key present in one or more sources of data).

The example in Figure 1 shows the rst two sources of data (Weekly Fraud Alerts and

Financial & Customer Demographic data). These two data sources are in different formats

(Excel and Microsoft Access) yet they can be joined on a common key (Customer ID).

Notice that each of the two sources of data contains different data elds. The Fraud

Alerts (listed as Accounts Query) has alert ID, alert name, at risk value and more. The

Financial and Demographic data has contact information, branch and account ofcer

data. The fraud analyst has chosen to include all of the data in both sources (indicated

by check marks next to the eld names) but could have decided to exclude data elds

irrelevant in the investigation. Excluding data could make it easier for the analyst to

navigate through the analysis phases and also speed up performance if any of the tables

are extremely wide.



12/37



Typically, most organizations will have more than two sources of data. By integrating

multiple sources of data, the Fraud Analyst increases her chances of identifying unusual

behavior across the sources. In gure 2, many sources are connected. In the center of the

gure, the analyst has joined 16 different sources with data on property, SSNs, vehicles,

aliases and much more.


Figure 1: Joining Disparate Sources of Data


Figure 2: Unifying Many Data Sources


13/37



Both examples show dozens of data elds that can be useful in the analysis. Each data

eld has a type allowing the technology to understand the form the data takes. For

example, is the data represented in integers? Are certain elds in a date format? If so,

what format of date is used? Some analysis tools will automatically classify data elds

by type but its important that analysts review data types to ensure the data is being

interpreted correctly.

Connecting to data sources should be as simple as indicating the location of les and

allowing the analytical tool to read the metadata (the information in the le that describes

the data). In gure 2, the data les have been joined by drawing a line between the two

different sources based on the common key (customer ID). In some cases, it may be

useful to refer back to the original sources of data to ensure that the customer IDs are

identical for a select number of records. In some instances, common keys can be created

by combining portions of existing elds. For example, you could take the rst 4 letters

of last name, ZIP code, the rst 3 letters of street name and other portions of data elds

and combine them into a unique identier. Without common keys across the data, joining

disparate data is not possible.


Figure 2: Unifying Many Data Sources



14/37



At the bottom of gure 3, the analyst previews individual data joined from two of thesources. This technique allows the analyst to validate the data prior to loading large

volumes for analysis. It also ensures that the data has been joined correctly. Notice that

data elds such as Branch Name, Customer Risk Category, Account Ofcer and Title have

been connected to the original set of fraud alerts. These additional elds allow for new

types of analysis to be conducted.

Selectin Seents of Data fo Analysis

There are many techniques used to select data for analysis. One technique is ltering

the data. It often takes place during the analysis phase. Another technique involves pre-

selecting data based on data eld, individual records or both.

We will revisit ltering in Phase 3, Advanced Analysis. Examples of pre-selecting data

would be selecting only the alerts within the last 30 days or all of the alerts for a set

of branches, account ofcers, or a combination of other criteria. In trying to determine

if recent alerts represent fraud, you may decide to only analyze alerts within the last30 days. This technique can be helpful since it focuses the investigation, reduces data

volumes, increases performance and shortens the time it takes to identify fraud. In this

particular example, conguring input parameters in the lower left of the screen could be

used for this very purpose.


Figure 3: Validating Data Connections



15/37



Inventoy the Data

Analyzing the imported data in a table format and then running frequency distributions

on each eld to show the number of values for every data element is an excellent way to

inventory the data prior to analysis. It may also reveal important insights or anomalies

about the data pointing the analyst in a specic direction.

A very simple chart in Figure 4 shows a count of fraud alerts by alert type, at risk dollars,

branch name and risk category. Analysts can use these charts to better understand the

data. In this case, Forged Signature Alerts for the Checking Business line are high given

the timeframe for this set of alerts. These alerts are concentrated in the Florida and

California branches. Analyzing data using this type of chart (or others) leads the analystdown a path of discovery that could be useful. For example, At Risk Dollars is zero in

many cases even though alert counts are high. This may need to be explored. This type

of analysis can also reveal hot spots in the data, null values and unusual behavior

that may need to be investigated. Finally, the analyst may discover missing data that is

required to prove the case.


Figure 4: Data Inventory Using Matrix Charts



16/37




Ceatin New Fields fo Analysis

Creating new elds allows the analyst to derive new and important information using pre-

existing data. This technique expands the analysis and may also reveal important insights

in the data that may have gone undetected. Figure 5 shows that a new calculated value

is being created by adding At Risk Value to Existing Loss Amount. Thinking ahead,

the fraud analyst knows that alerts where the combined value is high could be a leading

indicator of fraudulent behavior. Lets take this example even further. The analysts may

decide to look at the average liability per alert. To accomplish this, she could derive a

eld which would be the sum of alerts per customer and then divide that count into the

eld just created. The technique of creating new variables using existing data and math

functions can be powerful if done correctly. It can include robust formulas, weighting of

specic data elds and other ways of transforming the data..

Figure 5: Creating New Fields to Expand the Analysis



17/37




Phase 2: Initial Data Analysis

In phase 2, the analyst is focused on data proling in support of understanding the data

and developing a series of questions requiring investigation. During this phase, the

fraud analyst can identify correlations between data elds as well as look for anomalies

in the data, null values, suspicious behavior and basic patterns of behavior. Based on

this process, the analyst formulates a hypothesis for the investigaion. Results from this

phase include:

+ A set of charts, tables and other forms of visualizations

+ A set of questions leading the analyst down a path of investigation

+Identication of data that appears to be suspicious requiring more advanced analysis.

+ A hypothesis for the investigation.

A small sample of data visualizations are presented in this paper. Additional visualizations

will be provided in the ACFE Conference Session.

Data Profles

Figure 6: Bubble Chart of Fraud Alerts by Type and Name



18/37




An initial bubble chart of fraud alerts (Figure 6) by TYPE and NAME show that KYC prole

triggers represent the highest number of alerts. Checking, Loan and Credit Card alerts

have lower concentrations of alerts. Do these alert types represent the most risk to the

bank? How much risk do they represent? Figure 6 shows the nbe of alets. By

changing the ease from the number of alerts to the s of oney at isk, the

picture tells a different story.

Figure 7 reveals that high appraisal loan alerts represent the most money at risk to the

bank. This result leads the analysts down another line of questioning. Is this a new issue

or has it been seen before? Is the money at risk associated with one or more branches?

Where are these branches located?

Figure 8 shows yet a different measure: sum of money lost in the past. This chart conrms

that this problem has been persistent. Lets quantify the problem.

Figure 7: Bubble Chart Measures the Sum of Money At Risk



19/37



Figure 8: Bubble Chart of Historical Money Lost by Alert Name and Type

Figure 9: Heat Map Quantifying Money at Risk by Business Line and Name

A heat map of the money at risk to the bank by alert name and type clearly shows the

magnitude of the problem -- $2.28 million is at risk in the LOAN business line for High

Appraisal Alerts. As you see from the prior series of visualizations, as analysts navigate

across the data, they can represent the alerts in different forms, each telling a unique story

and leading the analyst down a path of inquiry. Are the alerts evenly distributed across




20/37



Figure 10: Alerts by Account Office and Alert Type

Figure 11: Fraud Alerts by Branch Region

account ofcers? Figure 10 identies two important things; The vast majority of the High

Appraisal Alerts show Null for the account ofcer. Secondly, a few of the account ofcers

have more alerts than others. Charles Head is one. How do the alerts vary by branch?

Clearly, the branches with the greatest number of alerts are in Florida, Los Angeles andWashington DC.




21/37



Qestion Developent

This series of charts and graphs illustrates some of the more important aspects of

Phase 2. Clearly, it could be expanded to include other visualizations including time

lines, geospatial and relationship graphs. Some of these visualizations will be shown in

Phase 3. Using these proles, a series of questions have emerged requiring additiona

investigation. Some have been addressed in the charts above. Others need to be resolved

in the Advanced Analysis phase. A sample of questions include:

+ Do the customers with historical alerts show a consistent pattern of behavior over time?

+Are the alerts clustered around certain days of the week or times of day?

+Are the account ofcers in any way related to the customers behavior?

+Are account ofcers issuing mortgages in close geographic proximity totheir branches?

+Are any of the customers with high risk alerts tied to any watch lists?

+Are there any customers that have suspicious data linked to their identities?

+Are any of the customers linked to the same property or linked in other ways(i.e. phone records, other property owned, employers, other associations)?

+Why are so many of the high appraisal alerts not tied to an account ofcer?

+Do other nancial transactions and accounts show suspicious behavior?

Based on the initial proles, the fraud analyst formulates a hypothesis for the

investigation. Specic customers are linked to high appraisal alerts. These customers

are also linked in some way to the Florida, California and Washington, D.C. branches.

The number of alerts associated with certain account ofcers appears to be high.

Collusion between the banking customers and loan ofcers could be taking place

with illegal kickbacks paid to loan ofcers.




22/37



Phase 3: Advanced Analysis and Identity Visalization

Charts, Tables and Heat Maps tell part of the story. They are typically used to show

summary and aggregate level views of data. Analysts use them to prole data elds, show

how the data is organized, investigate if two or more elds of data could be correlated

and isolate anomalies in the data. Oftentimes, these forms of visualization communicate

the magnitude of the problem. Shifting from one form of visualization to another allows

the analyst to reveal new insights.

But charts, heat maps and tabular data dont show relationships between the people,

transactions, and locations. They dont show networks of activity or connections between

individual pieces of data.

In addition to identifying meaningful relationships hidden in the data, the fraud analyst

is typically also concerned about the timing, strength and direction of the relationship

Is there someone representing the leader or head of the relationship? Are there people

who exist near the potential fraudster or in between two individuals clearly involved

in fraud? Do the identities of these people indicate anything suspicious? Are there

people linked through employers? How strong are the relationships between people

accounts or loan ofcers? These types of questions are better suited to a form of data

visualization commonly called link analysis but also known as relationship graphs or

link-node diagrams.

Revealing hidden meaning in data requires analysts to maintain their train of thought.Jumping from one data source to another breaks that train of thought. Moving from one

analytical tool to another further complicates this problem. Checking identities outside of

the analytical environment used to identify the fraud creates delays and inaccuracies. As

a result, this phase also includes Identity Visualization.

The advanced analysis summarized in this phase allows the analyst to do the following:

+Build relationships graphs to identity hidden insight

+ Analyze relationship graphs using advanced functions

+Integrate watch list analysis

+Validate identities using commercially available identity data




23/37



What ae elationships aphs?

Relationship graphs are a way of showing visual representations of data through links

between data objects. They are comprised of nodes and links. The nodes of the graph

are usually real world items, such as people, places, telephones, vehicles, and so on

The links are lines connecting these nodes to show that a relationship exists between

the nodes.

The characteristics of the links are important since they can show the strength and

direction of the related nodes. These diagrams can get complicated with large volumes

of data and many different types of nodes. For example, a relationship graph showing

linkages between people and properties is less complex than one showing, people linkedto properties, airline ights and employers. As a result, oftentimes analysts use other

forms of visualizations, lters and search capabilities to identify a set of data they want

to draw in the graph. In other words, using charts to initially identify fraud alerts for high

risk customers and then selecting these records for use in the relationship graph is a

common practice in data visualization.

Lets look at an example outside of the nancial services industry to demonstrate how

these graphs can be used in other applications:

Figure 12: Network Security Login Traffic




24/37



Figure 12 is a relationship graph for network login activity to a social networking site.

It shows nodes for Source IP Address, Source Organization and Destination IP address

Focusing on the central part of the graph (circled in red), there are 4 source organizations

linked to many source IP addresses. These source IPs are ALL linked to one Destination

IP address in blue (center of the circle). This many-to-one relationship could indicate

excessive account access which may mean a data breach has occurred. At the very least

it shows an unusual pattern of behavior. Relationship graphs, unlike charts, show you

details about how data is linked. These relationships can often reveal unusual behavior.

In Figures 13 and 14, the relationship graphs are congured to show links between

banking customers and their fraud alerts. Figure 14 zooms in on a specic section

of the relationship graph. Certain people are linked to 3 or more alert types. These

visualizations show important connections that lead to deeper investigative analysis. As

a fraud analyst, it is important to better understand the timing of each alert, the money

at risk, the identities of the individuals and the locations of the customers in question.

Why are Carver, Carnahan and Camp linked to so many fraud alerts?

Figure 13: Bank Customers Linked to Alert Types




25/37



Advanced fraud analysis using data visualization technology includes a wide range of

techniques that are useful in proving the hypothesis in question. As the analyst interacts

with all of the visualizations, a limitless number of pictures, questions and techniques can

be applied to explore the data. Covering all of these techniques is beyond the scope of

this paper. Lets concentrate on a set of best practices.They are:

1) Conguring relationship graphs

2) Advanced functions in relationship graphs

3) Interactive workspaces to incorporate timeline and geo-spatial analysis

4) Analyzing third party data to understand identities

Confguring Relationship Graphs

Now that we know the value of a relationship graph, how does an analyst congure one?Earlier in the analysis, we developed proles that showed the amount of money at risk

varied by branch and that Florida, California and Washington DC were there locations

that had a high number of alerts. We also saw that specic account ofcers had more

alerts than others. We formulated a hypothesis. A set of customers could be linked to

account ofcers providing irregular approval of loans. As a result a high concentration

of home appraisal alerts had been triggered. Lets put this theory to the test.

Figure 14: Bank Customers Linked to Alert Types (Zoom)




26/37



In Figure 15, the analyst has congured a relationship graph with four nodes. Links

have been drawn in between the nodes. She wants to see customers linked to alerts as

well as account ofcers. She also wants to see account ofcers linked to branches. The

relationship graph could be customized to show much more data about the alerts, years of

employment for the account ofcers and property locations for the customers.

Figure 15: Configuring a Relationship Graph

Figure 16: Relationship Graph with Customers, Alerts, Officers & Branches

Now, let see what this relationship graph looks like using a small set of alerts and

these related nodes.




27/37



Even with a small set of data, the graph can become complex quickly. It is difcult for

the analyst to focus the investigation and discern meaning within this graph. Fortunately

there are many techniques that prove useful in navigating and searching this graph.

Advanced relationship gaph Feates

Important metrics can be used to quickly identify the most important nodes and links. By

applying link intelligence metrics to the graph, the fraud analyst can isolate some of the

more important suspects. Figure 17 has been ltered to only see the high appraisal alerts

Most importantly, the size of the customers and account ofces has been scaled based

on the number of links they have. Notice account ofcer Charles Head is linked to many

customers and other account ofcers with high appraisal alerts. The thickness of the links

is scaled based on the amount of money at risk to the bank. Using a combination of lters

and scaling for both links and nodes, the analyst can begin to focus the investigation.

Filters are a useful way to narrow the investigation by limiting the data analyzedFigure 18 shows a three-part lter using At Risk Value, Branch and Alert Name.

Notice that the lter for at risk value uses a sliding scale set by the analyst.

Once the graph is redrawn, the analyst can apply a technique called bundling to group

nodes together on the graph. The benets of bundling are identied in the annotation

on this graph.

Figure 17: Link Intelligence Metrics




28/37



Figure 18: Applying Filters in Relationship Graphs

Figure 19: Using Bundling in Relationship Graph




29/37



Inteactive Wokspace with Tie line and geo-Spatial Analysis

By integrating two or more visualizations into the same workspace, the fraud analyst can

now investigate across other dimensions. Figure 20 incorporates a timeline designed to

analyze alerts triggered just after accounts have been opened. These short interval

alerts are then broadcasted to the relationship graph. Think of broadcasting as a way

to communicate ltered results to other visualizations. In this case, the time line is

broadcasting to the relationship graph which has been set to listen. This technique

is useful in identifying individuals tied to suspicious transactions based on geographic

location, timing or some other characteristic of the alerts. For example, alerts with high

risk could be selected from a chart and broadcasted to the relationship graph.

Figure 20: Broadcasting Selections - Time Lines and Relationship Graph




30/37



The relationship graph in gure 21 is for all customers with alerts where Charles Head

is the account ofcer (a lter has been applied to the graph). Charles Head is assigned

to two different branches of the bank (Florida and California). Notice that Mr. Head is

the loan ofcer for Bokovoy who has a Washington, D.C. address. Bokovoy also hashigh loss amounts and a very high at risk amount. Additional geospatial analysis also

revealed that Jim Camp has similar attributes. Head is linked to Camp, who lives in DC

and has high loss and at risk amounts. Unusual geographic patterns of behavior, when

used in conjunction with other important data and relationship graphs, can help build the

case for deeper fraud investigations.

Identity Visalization usin Thid paty Data

With a wealth of identity data and other third party sources including public records data

compilers have amassed 300 million identity records from hundreds of sources. This data

can be accessed in real time to validate SSNs, check fraud scores and retrieve personaproperty data. When this is done within the analytical framework, the fraud analyst does

not lose her train of thought. As a result, she can solve cases faster. This technique can

beextraordinarily powerful when the identity data is used in conjunction with customer

data, fraud alerts and account information. Figure 22 shows and integrated relationship

graph with many sources of data.

Figure 21: Geospatial Visualization with Relationship Graph




31/37



What does this graph reveal? To simplify the presentation of this graph, some of the

important facts are located in tool tips for the nodes and not shown unless the analyst

hovers over the node. Visually, the fraud analyst can see that two suspects share a

business located in Washington, D.C. yet they are both working with a loan ofcer(Charles Head) who is assigned to the Los Angeles Branch. Bokovoy and Camp have at

least 4 fraud alerts in common. Camp owns a plane. Other account ofcers are linked to

Camp and Bokovoy. Are they involved in a fraud ring? To simplify the presentation, the

analyst decided to show annotations that indicate large sums of money at risk to the bank

for these two customers ($250,000 and $105,000 respectively). Both at risk amounts

are tied to high appraisal alerts for home loans far from the Los Angeles branch. When

important identity management data is connected to banking transactions, important

linkages are revealed in support of the investigation. Showing disparate data in one

relationship graph allows the analysts to easily connect the dots.

Figure 22: Relationship Graph with Identity Data




32/37



Matching to watch lists can help build the case. By matching of names, addresses, phone

numbers or unique identiers, the analyst can easily access these new sources. Figure

23 shows a startling result; Four of the people shown in the Figure 22 are on watch lists

Camp, Head and Bokovoy are being watched for various reasons including a Cyber DataBreach (Camp), TSA Flight Risk (Head) and Financial Crimes (Bokovoy). Also interesting

is the fact that Paul Willow is on a Terrorist Watch list.

Data integration is a common theme throughout this case study. Since risks in this case

involve more than money lost to the bank including potential terrorist activity, the time

to solve the case is a critical success factor. Connecting to data sources and analyzing

the new sources from within a single analytical framework needs to be mastered by the

fraud analyst to meet growing challenges tied to the proliferation of data sources.

Figure 23: Checking Watch List Data




33/37



Phase 4: Annotation, Collaboation and Pesentation Techniqes

As fraud analysts work through the investigation, annotating data visualizations helps

highlight signicant ndings. Annotations are useful in litigation support, training new

analysts and collaborating with other members of the investigative team. Best practices

dictate that these annotated results are saved for future use in a repository. For one, they

can document the steps the fraud analyst has taken to arrive at specic conclusions.

Results can be organized into individual worksheets, each with their own annotations

In gure 24, a series of steps in the fraud analysis have been added as an annotation.

These guidelines may be useful for new investigators. Notice that the guidelines refer to

worksheets that are part of the complete investigation.

On the relationship graph itself, certain nodes have been selected and appear within the

orange box.

Figure 24: Annotating Worksheets with Step-By-Step Guideline




34/37



Annotations can be used to call out specic ndings, emphasize proof points in support o

litigation, communicate ndings to team members and summarize results for executive

leadership.

As Figure 24 demonstrates, they can also be used as a training guide for other team

members.

Many of the same techniques should be incorporated into presentation of ndings. The

presentation should emphasize how the analyst arrives at the conclusion. It needs to

be clear, concise and complete. Additional examples of presentation techniques will be

provided at the ACFE training session along with examples of collaboration.

Conclsion

While fraud schemes continue to morph and become more elaborate, the tools that

investigators can bring to bear on the problem have not evolved. The tools today fall short

in four key areas; they are to hard too use, too static, too disconnected and too isolated.

Next generation approaches must improve in these areas and free the investigator to apply

experience and knowledge in an unconstrained manner.

By improving the identication phase in fraud management, all other phases benet

Investigative Analytics provides a powerful new paradigm for improving this analysiseffort and comprises three emerging innovations: 1) Interactive Visualization, 2) Unied

Data Views and 3) Collaborative Analysis. The approach must also drastically improve the

user experience which has been far too complicated. Investigative Analytics allows for

unconstrained analysis across disparate data sets. It allows the investigator to visualize

and detect hidden relationships while also collaborating and working with others. It is easily

adoptable. It is consistent with the way investigators have been trained and think. Most

importantly, it allows them to apply their knowledge and experience to the problem.

By deploying investigative analysis tools that embrace these characteristics, investigators

are armed with technology built for the modern fraud landscape. These tools are weapons

in the ght against fraud.

In this investigation, the analyst detected suspicious behavior in terms of the number of

fraud alerts assigned to an account ofcer, Charles Head. The alerts were concentrated

in a few branches. Upon closer investigation, she noticed that certain banking customers

were tied to these alerts across business lines. Bokovoy and Camp were linked to the

same address and both were were working with the same account ofcer (Head) who




35/37



happened to be across the country. The amount of money at risk to the bank was high.

High appraisal alerts were not the rst alerts set off by Camp and Bokovoy. Identity

visualization using 3rd party data indicated additional problems. Watch lists were checked

and all three suspects (plus one new one) showed up on these lists. Results were published

to other members of the team.

This approach has been put to the test in some of the most demanding applications worldwide

and has proven to be highly effective. If the investigator is able to gain access to critical

data in support of his investigation, if the investigator can identify hidden relationships

within massive data sets, if the investigator can notify others of results, the identication

process can be improved while also enhancing detection, reporting and issue resolution.

Because of these benets and the enormous information challenges organizations face

today, Investigative Analytics is taking on new meaning worldwide as fraud analysts,

intelligence analysts, cyber security analysts and law enforcement leverage technology

to efciently and effectively identify fraud.




36/37



refeences

1. Federal Crimes Report to the Public, Fiscal Year 2006, Federal Bureau

of Investigation

2. Federal Crimes Report to the Public, Fiscal Year 2006, Federal Bureau

of Investigation

3. Internal Revenue Service, Department of the Treasury




37/37

Apply Data Visualization Technology for Fraud Analysis

Documents

Transcript of Apply Data Visualization Technology for Fraud Analysis