Intelligent alarm system

The intelligent alarm system monitors transactions and activities through computer systems. By utilizing various detection methods and data mining techniques, it solves the problems of low efficiency and high error rate in traditional methods, and achieves automated detection of suspicious activities and improved compliance.

CN113994323BActive Publication Date: 2026-06-05APEX TECHLINK INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
APEX TECHLINK INC
Filing Date
2020-02-10
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively detect and report suspicious financial activities, especially money laundering. Traditional methods rely on manual detection, which is inefficient and prone to errors. Furthermore, existing systems cannot effectively distinguish between fraud and money laundering activities, leading to compliance issues and high costs.

Method used

The intelligent alarm system monitors transactions and activities through a computer system, and uses a variety of detection methods and data mining techniques to automatically identify potential cases and generate reports, reducing manpower and improving detection efficiency and accuracy.

Benefits of technology

It enables automated detection of suspicious activity, reduces human intervention, improves the efficiency of financial institutions in complying with laws and regulations, reduces costs, and decreases error rates and compliance risks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN113994323B_ABST
    Figure CN113994323B_ABST
Patent Text Reader

Abstract

The intelligent alert system triggers potential cases based on a set of scenarios and sends a report with a default narrative to an investigator for each potential case. Through changes made by the investigator to the default narrative, the intelligent alert system learns the investigator's writing style. Eventually, the intelligent alert system can automatically submit reports with narratives that match the investigator's writing style. After an investigation, the intelligent alert system records in a database the results of the investigation, the associated set of scenarios that triggered the potential case, and the date and time of such investigation for each potential case. As a result, the intelligent alert system can gradually learn from the investigators and automatically make decisions on some future potential cases with little to no human involvement.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Cross-references to related applications

[0002] This application claims the benefit of U.S. Patent Application No. 16 / 742,766, entitled “INTELLIGENT ALERT SYSTEM,” filed January 14, 2020, and U.S. Patent Application No. 16 / 742,780, entitled “INTELLIGENT REPORT WRITER,” also filed January 14, 2020. Both applications claim priority to U.S. Provisional Patent Application No. 62 / 805,085, entitled “INTELLIGENT ALERT SYSTEM,” filed February 13, 2019, the disclosures of which are expressly incorporated herein by reference in their entirety. Technical Field

[0003] This disclosure generally relates to intelligent alarm systems. More specifically, this disclosure relates to systems and methods for improving alarm management. Background Technology

[0004] The amount of data available for public consumption is increasing exponentially. This data can be used to uncover hidden opportunities or expose misconduct. Conventional information management systems can utilize manual search, report-based search systems, and / or alert-based search systems. These conventional search systems can be used to detect and report suspicious activity.

[0005] The Bank Secrecy Act in the United States was first enacted in 1970. Under this act, financial institutions are required to report suspicious activity to the government. Historically, financial institutions have trained frontline staff (such as bank tellers) to observe and identify suspicious activity. However, most financial institutions have not effectively complied with the Bank Secrecy Act.

[0006] To further enforce bank secrecy laws, the U.S. Congress passed the USA PATRIOT Act, which imposes severe civil and / or criminal penalties for violations of bank secrecy laws. Furthermore, U.S. government agencies, such as the Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency (OCC), the Federal Reserve Bank (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the National Banking Department, and the Department of Financial Institutions, strictly require financial institutions to comply with bank secrecy laws, particularly their obligation to submit Suspicious Activity Reports (SARs) to FinCEN.

[0007] Suspicious activity encompasses a very broad range. For example, money laundering, terrorist financing, fraud, embezzlement, identity theft, computer intrusion, self-dealing, bribery, false statements, forged documents, and mysterious disappearances are all classified as suspicious activity.

[0008] However, many financial institutions fail to detect and report suspicious activity. In fact, many financial institutions use products that are effective in preventing fraud but ineffective in preventing money laundering or other financial crimes. Generally, fraud can be detected based on changes in behavior, as fraudsters who steal a victim's identity (or financial instrument) behave differently from the victim. Computer systems can detect fraud if account activity differs from expected activity derived from historical activity.

[0009] For example, U.S. application (Publication No. 2003 / 0177087) specifies that high-risk variables may include, for example, changes in the account’s usual behavior indicated when a transaction falls outside the account profile. According to that publication, Beta, Delta, and Theta models were used to detect transactions falling outside the client’s profile.

[0010] However, money laundering and some other financial crimes can be committed without any behavioral changes. As a result, traditional methods of detecting fraud based on behavioral changes fail to detect some basic money laundering activities or other financial crimes. In the money laundering field, high-risk customers may not be suspicious. For example, banks often classify money service businesses (MSBs), pawnshops, ATM providers, and flight attendants as high-risk customers in their anti-money laundering programs. However, this does not mean that these high-risk customers are engaged in money laundering activities. While high risk is associated with these customers, they may not have committed any wrongdoing.

[0011] Some businesses are extremely difficult to monitor. For example, MSBs process a large number of transactions every day, and individual money laundering transactions mixed in with these large volumes can be difficult to detect using traditional methods.

[0012] The challenges of complying with the Patriot Act and the Bank Secrecy Act (BSA) mentioned are just a few examples illustrating the importance of identifying suspicious activity. Identifying suspicious activity can also be used to comply with other laws, such as the Fair and Accurate Credit Transactions Act (FACT), the Illegal Internet Gambling Enforcement Act (UIGEA), the Elder Abuse Reporting Act (EARA), the Sarbanes-Oxley Act (SOX), regulations established by the Office of Foreign Assets Control (OFAC), and other laws and regulations.

[0013] Regulatory compliance is traditionally implemented through policies and procedures that require human workers to take specific actions in response to certain conditions. For example, banks train their tellers in branches to observe and report any situations they deem suspicious in order to comply with bank secrecy laws.

[0014] This traditional method is no longer effective in the modern era because customers no longer need to be physically present at bank branches. For example, customers can conduct transactions remotely electronically (e.g., via the internet), and there are numerous financial instruments available to customers (e.g., checks, credit cards, debit cards, etc.). Furthermore, criminals are sophisticated and know how to avoid attracting the attention of tellers. As a result, relying on tellers to detect suspicious activity to comply with bank secrecy laws is insufficient.

[0015] Furthermore, this human-based approach is extremely costly. Regular, intensive training is necessary to ensure that human workers truly understand how to comply with different laws and regulations in every situation. However, human workers are prone to error. In fact, many financial institutions have already faced severe penalties from government agencies for failing to comply with various laws and regulations due to human negligence.

[0016] The aim is to improve search systems to enhance the detection of different types of suspicious activity and to help businesses comply with various laws and regulations. The methods, functions, implementations, computer systems, networks, software, hardware, mechanisms, and other components used for detecting suspicious activity may also be used in other applications or by other organizations for purposes other than detecting suspicious activity. Summary of the Invention

[0017] This disclosure includes multiple embodiments that can be combined to form various methods. One method for detecting money laundering activity. The method includes: detecting a first potential case by a first computer system when a scenario marked in a cause vector for a first potential case of money laundering meets a detection criterion. The method further includes: comparing a first ratio of a first value of the cause vector to a second value of the cause vector by the first computer system with a threshold. The method further includes: transmitting the first potential case from the first computer system to a second computer system for investigation when the first ratio is less than the threshold. The method further includes: adjusting the first value by the first computer system when the investigation results indicate that the first potential case is true. The method further includes: adjusting the second value by the first computer system based on the cause vector meeting the detection criterion. The method further includes: transmitting a first report associated with the first potential case from the first computer system to a third computer system when the first potential case is true.

[0018] Another method for detecting money laundering activities. This method includes: a first computer system detecting a potential case when a scenario marked in the cause vector for a potential money laundering case meets detection criteria. The method further includes: the first computer system calculating a conditional probability value for the potential case based on the cause vector. The method further includes: the first computer system comparing the conditional probability value with a threshold. The method further includes: when the conditional probability value is greater than the threshold, transmitting a report associated with the potential case from the first computer system to a second computer system.

[0019] Another method for detecting money laundering activities. This method includes: a first computer system detecting a potential case when a scenario marked in a first cause vector for a potential money laundering case meets detection criteria. The method further includes: the first computer system generating a combined cause vector by combining the first cause vector with a second cause vector from a previous potential case. The method further includes: the first computer system calculating a conditional probability value for a case triggered by the combined cause vector. The method further includes: the first computer system comparing the conditional probability value with a threshold. The method further includes: when the conditional probability value is greater than the threshold, transmitting a report associated with the potential case and the previous potential case from the first computer system to a second computer system.

[0020] Another method for detecting money laundering activities. This method includes: a first computer system detecting a potential case when a scenario marked in the cause vector for a potential money laundering case meets detection criteria. The method also includes: the first computer system calculating a conditional probability value for a case triggered by a subvector of the cause vector. The method further describes: the first computer system comparing the conditional probability value to a threshold. The method also describes: when the conditional probability value is greater than the threshold, transmitting a report associated with the potential case from the first computer system to a second computer system.

[0021] Another method for detecting money laundering activities. This method includes: detecting a potential case by a first computer system when a scenario marked in a first cause vector for a potential money laundering case meets detection criteria. The method further includes: generating a combined cause vector by the first computer system by combining the first cause vector with a second cause vector of a previous potential case. The method also includes: calculating conditional probability values ​​for subvectors of the combined cause vector by the first computer system. The method further describes: comparing the conditional probability values ​​with a threshold by the first computer system. The method also describes: transmitting a report associated with the potential case and the previous potential case from the first computer system to a second computer system when the conditional probability value is greater than the threshold.

[0022] A computer-implemented method for generating reports. The method includes: storing in a database of a first computer system a first fact associated with a first subject, a second fact associated with a second subject, and a third fact associated with a third subject. The first, second, and third facts have the same field names in the database. The method further includes: receiving a first report of the first subject from a second computer system at the first computer system. The first report includes the first facts and a first set of link terms generated by a human author. The method further includes: transmitting the first report of the first subject from the first computer system to a third computer system. The method transmits the second facts and the first set of link terms from the first computer system to the second computer system. The method further includes: receiving a second report of the second subject from the second computer system at the first computer system. The second report includes the second facts and a second set of link terms generated by a human author. The method transmits the second report of the second subject from the first computer system to the third computer system. The method also transmits a third report of the third subject from the first computer system to the third computer system when the first set of link terms corresponds to the second set of link terms. The third report includes the third facts and the second set of link terms.

[0023] The methods described above are merely examples. Many other methods can be formed by combining and rearranging the embodiments of this disclosure.

[0024] This provides a fairly broad overview of the features and technical advantages of this disclosure in order to facilitate a better understanding of the specific embodiments described below. Additional features and advantages of this disclosure will be described below. Those skilled in the art will understand that this disclosure can be readily used as the basis for modifying or designing other structures for achieving the same purposes as this disclosure. Those skilled in the art will also recognize that such equivalent structures do not depart from the teachings of this disclosure as set forth in the appended claims. The novel features considered characteristic of this disclosure, including both its organization and manner of operation, as well as further objects and advantages, will be better understood from the following description when considered in conjunction with the accompanying drawings. However, it should be clearly understood that each of the drawings is provided occasionally for illustrative and descriptive purposes only and is not intended to be a limitation of this disclosure. Attached Figure Description

[0025] The features, nature, and advantages of this disclosure will become more apparent from the specific embodiments described below when taken in conjunction with the accompanying drawings.

[0026] Figure 1 A system and network diagram of an intelligent alarm system according to various aspects of this disclosure is shown.

[0027] Figure 2 , Figure 3 , Figure 4 and Figure 5This is a flowchart of an intelligent alarm system based on various aspects of this disclosure.

[0028] The specific embodiments described below with reference to the accompanying drawings are intended as descriptions of various configurations and not as representations of only configurations in which the concepts described herein can be practiced. Specific details are included to provide a thorough understanding of the various concepts. However, it will be apparent to those skilled in the art that these concepts can be practiced without these specific details. In some instances, well-known structures and components are shown in block diagram form to avoid obscuring such concepts. As described herein, the use of the term "or" may mean "inclusive or" or "exclusive or," depending on the application context based on convention. Detailed Implementation

[0029] Various aspects of this disclosure relate to intelligent alert systems. In one configuration, a computer system monitors transactions and / or activity to generate alerts. The computer system can learn from humans and become smarter to automatically accept potential cases as true affirmations and / or reject potential cases as false affirmations. As a result, this computer system can help financial institutions reduce human resources while still complying with laws and regulations, such as banking secrecy laws.

[0030] Depending on the specific provisions of laws or regulations, computer systems may use different functions or methods to monitor different types of activities. This disclosure provides various details for monitoring transactions and activities to reduce human resources while still complying with different requirements, laws, and regulations. The computer systems of this disclosure can also be used for other applications or other purposes. The computer systems of this disclosure can reduce or eliminate human effort and / or errors, reduce resources, save money, and improve results.

[0031] In conventional information management systems, individuals manually search the internet and / or databases to obtain data. This manual search is time-consuming. To improve manual searches, decision-makers often hire additional searchers to assist in performing them.

[0032] Additionally, some conventional information management systems generate various reports with graphics to summarize or compare data. Reading these reports may be an improvement over manual searching. However, when dealing with large amounts of data, reading reports can still be time-consuming. Furthermore, it is impractical for the human eye to identify events among the various numerical values ​​presented in a report. When people are assigned the task of reading large numbers of reports, they may be unable to identify different issues.

[0033] To improve retrieval, some conventional systems generate alerts when certain conditions are met. Alert systems can reduce the need for humans to read reports. That is, alerts can notify users of specific events and provide data related to those events. Compared to report-based methods, alert systems reduce the amount of time and manpower required.

[0034] The aim is to improve alarm systems to increase efficiency and reduce the need for human oversight. Aspects of this disclosure relate to an information management system that processes alarms via a computer system. This information management system may be referred to as an intelligent alarm system.

[0035] Alert systems can be used by various types of organizations. For example, laws require financial institutions to report suspicious activity to the government. Therefore, financial institutions can use alert systems to determine when suspicious activity is detected. As another example, lending companies can use alert systems to generate alerts when borrowers are likely to default on loans. In yet another example, social media companies can use alert systems to generate alerts when cross-selling targets are identified. As yet another example, defense contractors can use alert systems to identify violations of security policies. In yet another example, police departments can use alert systems to generate alerts before a crime is committed.

[0036] As discussed above, alarm systems have various uses. The aspects of this disclosure are not limited to the uses discussed above. The methods, functions, embodiments, computer systems, networks, software, hardware, firmware, mechanisms, and other components of this disclosure can be used by other types of individuals or organizations for other purposes. For clarity, this disclosure will discuss examples of using alarm systems in financial institutions to detect suspicious activity.

[0037] The U.S. government strictly mandates that businesses comply with the Patriot Act, the Bank Secrecy Act (BSA), the Fair and Accurate Credit Transactions Act (FACT), the Illegal Internet Gambling Enforcement Act (UIGEA), the Elder Abuse Reporting Act (EARA), the Sarbanes-Oxley Act (SOX), regulations set forth by the Office of Foreign Assets Control (OFAC), and other relevant laws and regulations. Businesses can include, for example, financial institutions such as banks, credit unions, mortgage companies, money services companies, stockbrokers, and insurance companies. The U.S. government has levied billions of dollars in civil penalties (CMPs) on financial institutions for violations of these laws and regulations. Criminal penalties have also been imposed on some individuals working for financial institutions.

[0038] Financial institutions are just one type of business. They are not the only organizations required to comply with these laws and regulations. Many other types of businesses are also required to comply. This disclosure applies to all businesses, including those obligated to comply with laws and regulations.

[0039] The Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) are U.S. organizations. In this disclosure, U.S. laws and regulations are used as examples. Many other countries have similar organizations performing similar tasks. Therefore, similar laws and regulations exist in many other countries. This disclosure also applies in those countries to help businesses comply with their respective laws and regulations. Various aspects of this disclosure may also be used by businesses, individuals, or organizations that are not required to comply with laws or regulations.

[0040] It can often be difficult to determine whether an individual or group has engaged in illegal activity. Under U.S. bank secrecy laws, when a company submits a Suspicious Activity Report (SAR) to FinCEN, it is not obligated to prove whether the reported activity is illegal. In fact, the "safe harbor" rule encourages companies to report more suspicious activity without fear of being accused of falsely reporting legitimate activity as illegal. Under this "safe harbor" rule, no individual (or organization) can bring a lawsuit against an entity simply because it submitted a Suspicious Activity Report (SAR) to FinCEN about that person (or organization). SARs are used by governments to collect information, and companies are only expected to provide information and opinions in SARs. Government agencies conduct their own investigations to determine whether the activities reported in the SAR are truly illegal.

[0041] Generally, the decision-making process for whether to report suspicious activity that is not fraudulent differs from the decision-making process for whether to report a fraud case. In fraud cases, entities such as businesses or customers may lose money. Therefore, fraud is easier to detect compared to other crimes. Consequently, it is easier to decide whether to report a fraud case. Preventing fraud is also easier compared to preventing other crimes. As an example, if a computer system detects a high risk of fraud associated with a transaction, the computer system can block the transaction and allow investigators to investigate it to determine if it is indeed a fraud case.

[0042] In one aspect of this disclosure, for fraud detection, the computer system calculates a risk score associated with a transaction based on various factors related to the transaction. These factors may include the account's historical activity, deviations from expected activity, the location, time, amount, frequency, and nature of the transaction, the relationship between multiple accounts, and the type, nature, and structure of the account holder, etc.

[0043] In one aspect of this disclosure, for fraud detection, if a transaction's fraud risk score exceeds a threshold, the computer system blocks the transaction. The threshold can be predetermined based on the enterprise's strategy.

[0044] In one aspect of this disclosure, for fraud detection, the computer system creates a case based on detected high-risk fraud transactions. This case and related information are presented to investigators for further investigation.

[0045] Unlike fraud, suspicious activity may lack clear evidence. For example, a customer might frequently deposit large amounts of cash. It's possible the customer is involved in money laundering by selling illicit goods and receiving cash as payment. It's also possible the customer is selling homemade products at a farmers' market and only accepting cash as payment. Typically, due diligence is required to determine if anything is suspicious.

[0046] It's also possible that while a customer sells homemade products at a farmers' market, they might also be selling illegal items elsewhere. Unless the bank is notified that the customer is selling illegal items, there is no evidence to prove it. If the customer is indeed selling illegal items and the bank fails to report such suspicious activity to FinCEN, the bank could face severe penalties later for failing to report the case to FinCEN should the customer be arrested by the government for selling illegal items.

[0047] On the other hand, if a bank reports every case with even a slight chance of being suspicious, it may attract unnecessary attention from government agencies. These agencies could spend many months investigating the bank's operations internally, potentially severely impacting its business.

[0048] The decision to report a case can be based on the instinctive judgment of the person reviewing it. Furthermore, the decision-making process can be quite subjective. Moreover, banks cannot simply block a transaction because it appears suspicious of money laundering activity. When a business that blocks a customer's transaction cannot actually prove money laundering has occurred, the customer can sue the business. In fact, many government agencies often advise businesses that have already reported suspicious activities such as money laundering or terrorist financing to remain silent and treat suspicious transactions as normal transactions, so that suspects will not become alert and flee. This approach gives government agencies more time and opportunity to identify all relevant criminals.

[0049] Under the U.S. Bank Secrecy Act, companies that submit Special Notices (SARs) are obligated to keep them confidential and not disclose any information about the SAR, including its existence, to suspects (e.g., individuals involved in the case). SARs can only be reviewed by authorized government agencies.

[0050] Because handling suspicious activity cases is very different from handling fraud cases, as stated above, many conventional methods and concepts applicable to fraud detection and prevention are no longer useful for detecting and managing suspicious activities such as money laundering, terrorist financing, elder abuse, online gambling, etc. In one aspect of this disclosure, a computer system records the opinions of those who decide not to report detected suspicious activity cases. In this case, the decision-maker records the reasons to justify their decision.

[0051] Unlike fraud cases, suspicious activity cases may not become apparent to the person reviewing the case until additional evidence becomes available. Therefore, a person might initially reject a detected suspicious activity case but later change their mind when additional evidence becomes available. In one aspect of this disclosure, the person reviewing a detected suspicious activity case may also need to examine all historically detected cases concerning the same suspect to determine whether any new evidence, when combined with old evidence that may have come from any rejected cases, makes the newly detected case more suspicious. As a result, even if a case was previously rejected as a false detection, such a rejected case may be reviewed later.

[0052] This practice of reviewing cases of suspicious activity may differ from that of reviewing cases of fraud, because fraud cases typically have a clear conclusion. If the customer is the fraudster, the customer's account is closed, and the customer will be prevented from making future transactions / activities. If the customer is the victim of fraud, the detected fraud case is irrelevant to the customer, and the evidence will not be used against that customer in the future. Therefore, fraud investigators typically only focus on newly detected cases. In contrast, suspicious activity investigators may need to review the history of detected cases and make decisions after in-depth research and analysis. In one aspect of this disclosure, the justifications for the decision not to report suspicious activity are stored in a database and are available for future reference.

[0053] In another aspect of this disclosure, the computer system also records the identity of the person who decides not to report a detected case. The computer system can compare decisions made by multiple individuals not to report suspicious activity of the same(s) suspect(s) to determine whether an investigator is attempting to conceal a detected suspect or case.

[0054] For large enterprises, thousands of suspicious activities may be detected each month. A team may be assigned to review the detected cases to determine whether the enterprise needs to submit SARs for these cases. In one aspect of this disclosure, a computer system automatically assigns detected cases to different individuals based on policies set by the enterprise. The computer system can monitor and record the status of each detected case. If a particular individual delays case review, the computer system will issue a warning to the enterprise regarding this delay.

[0055] In another aspect of this disclosure, the computer system monitors the workload of each person reviewing detected cases. If, during the same time period, someone reviews an unusually large number of cases compared to others who are also reviewing detected cases, that person may become suspicious or problematic.

[0056] On the other hand, if someone reviews fewer cases compared to others who also review cases during the same time period, that person may also become suspicious or problematic. In either of these cases, the company's manager may want to investigate the situation and draw their own conclusions and decisions.

[0057] Generally, different detection functions are used to detect suspicious activity because suspicious activity can occur in many different types of activities. Since the detection of suspicious activity is not definitive, some detected cases may not be truly suspicious after investigation. In such cases, these detected cases are rejected as false detections or false affirmations. False detections or false affirmations are often referred to as the conclusion of the investigation, but are not grounds for justifying the rejection of the case.

[0058] For example, if a financial institution detects a case where several customers live at the same address and deposit large sums of cash into the institution, the case might seem to involve a potential drug trafficking family, with many family members depositing their drug proceeds. However, upon investigation, the case might actually be a group of students living together and depositing tips they received while working at a restaurant. The justification for not reporting the case would be that "the students living together deposited tips they received from part-time jobs." Therefore, due to this given justification, the conclusion of the detected case becomes a false detection or a false affirmation.

[0059] Generally, after reviewing a detected case, it can be classified as a false detection (or false affirmation) by the person reviewing it. In one aspect of this disclosure, the computer system provides the user with information and / or statistical information to analyze all detected cases classified as false detections. From these false detections, the user can identify detection functions that have generated more than a threshold number of false detections. The user can further improve the identified detection functions to enhance the detection of future suspicious activity.

[0060] The Patriot Act, Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and Anti-Terrorist Financing (ATF) are already important compliance matters in the financial industry. Many financial institutions have invested heavily in these compliance matters, yet still miss out on real money laundering and terrorist financing cases.

[0061] The main reason for these compliance issues is that many financial institutions don't even detect basic money laundering cases, and senior managers at these institutions often struggle to understand these issues. Many financial institutions use fraud detection principles to detect money laundering activities, and some even confuse fraud cases with money laundering cases.

[0062] However, in reality, money laundering and fraud are very different. Fraud detection products can easily compare an account holder's current activity with their historical activity, and detect potential fraud if the current activity deviates from the expected activity derived from the historical activity. For example, if a fraudster steals a victim's credit card, the fraudster will make purchases that differ from the victim's historical activity. It's only a matter of time before the credit card company detects the fraudulent activity and disables the card. If a new account doesn't have enough historical records, fraud detection products compare the account holder's current activity with what the account holder said during the account opening process.

[0063] Because the goal of fraud detection products is to stop losses as early as possible, financial institutions typically run fraud detection or risk scoring in real-time or at least daily. In contrast, real-time risk scoring, real-time detection, daily risk scoring, and daily detection methods, which are effective for fraud detection, cannot detect many basic money laundering activities. In fact, as explained earlier, higher-risk customers may not be money launderers. Assuming that a higher-risk customer is engaged in suspicious money laundering activities is a waste of time.

[0064] Financial institutions typically have Bank Secrecy Law Officers (BSA officers) who are responsible for reporting suspicious money laundering activities or terrorist financing to FinCEN. The following is an example of how a BSA officer within a financial institution might waste significant time reviewing their real-time or daily risk scores, yet still miss a genuine money laundering case. This example consists of the following facts: (a) Client A remits less than [amount missing] to XYZ around the 5th day of each month. 3,000; (b) Client B remits less than [amount] to XYZ around the 8th day of each month. 3,000; (c) Client C remits less than [amount] to XYZ around the 12th day of each month. 3,000; (d) Client D remits less than [amount] to XYZ around the 17th of each month. 3,000; (e) Client E remits less than [amount] to XYZ around the 24th day of each month. 3,000; (f) Client F remits less than [amount] to XYZ around the 29th day of each month. 3,000; (g) A, B, C, D, E, and F are unrelated individuals; and (h) XYZ is a drug dealer in Los Angeles with no prior criminal record.

[0065] In the example above, if a BSA officer compares the client's current activity with their historical activity to detect any behavioral changes, the officer will not detect any anomalies because the client consistently engages in similar transactions every month. If a bank teller inquires about the purpose of the fund transfers, the client can easily lie. Because these clients conduct their transactions on different days of the month, the BSA officer will be unable to detect any risk on any given day of that month.

[0066] Furthermore, these principals are unrelated, and therefore BSA officials will not see their overall activity. Additionally, because each transaction involves only small amounts of US dollars occurring once a month, and the recipients of the funds reside in U.S. cities with large populations and significant business activity, none of these principals will be considered high-risk or suspicious based on these transactions. As a result, despite the fact that BSA officials diligently use fraud detection products daily, these products will miss these basic money laundering cases.

[0067] To detect these money laundering cases, in one configuration, a computer system collects transaction data from financial institutions and performs data mining for specified time periods (such as 30 days or longer), across all principals, and based on anti-money laundering and counter-terrorism financing scenarios. The computer system can collect details of all fund transfer transactions from various data sources within the financial institution (such as wire transfers, ACH, card payments, mobile payments, etc.). The computer system can then identify the common recipients of these fund transfer transactions.

[0068] When a common recipient is identified, the computer system can display all transactions transferred to that common recipient to BSA officials. BSA officials review the identified transactions through the computer system. BSA officials also review all historical cases associated with suspects in newly detected cases. If a BSA official (e.g., the head) agrees that such transactions are suspicious activity because the common recipient received excessive amounts of money, the computer system assists the BSA official in submitting a SAR to FinCEN. If the BSA official decides not to submit a SAR, the BSA official enters reasons into the computer system to justify their decision not to report such detected activity.

[0069] Several methods exist for reporting SAR cases to FinCEN. One method is to send the SAR report directly to a server located at FinCEN in electronic format. In this case, BSA officers can instruct the computer system that has detected suspicious activity to submit a SAR report. The computer system will prepare the SAR report based on the suspects and transactions identified by BSA officers, and then transmit the SAR report to the computer system at FinCEN.

[0070] As is understandable, even for very small financial institutions, data mining of the vast amounts of transaction data accumulated over a long period by all their clients takes time. Because financial institutions do not directly lose any funds in money laundering cases, BSA officers have up to 30 days to submit a SAR, according to regulatory guidelines. This example illustrates that conducting real-time or daily risk scoring that actually misses genuine money laundering activity is a waste of time and resources.

[0071] BSA officials expressed a shared frustration that they were wasting their days on fraudulent activities at the expense of detecting actual money laundering cases. This frustration stemmed from a common misconception that money laundering and fraud are crimes frequently committed by the same perpetrator and should be detected together based on detected behavioral changes. After purchasing fraud detection products, some financial institutions tried... Figure 1 The detection of both money laundering and fraud cases has resulted in a significant waste of time, money, and resources. This misconception can be corrected through a proper understanding of the complexities of transaction risk.

[0072] Transaction analysis is defined as risk directly associated with a transaction. For example, money laundering risk and fraud risk are directly linked to transactions. However, these risks have very different characteristics. Clients who launder money through financial institutions aim to use the institutions as tools to achieve their goals. These money launderers often pretend to be legitimate clients because they need the financial institution's assistance to carry out their schemes. They don't mind paying extra fees or losing interest on their funds, and therefore, from the financial institution's perspective, these money launderers are desirable clients. This is one of the key reasons why financial institutions need to perform data mining on all transactions to detect money laundering activities hidden behind the scenes.

[0073] In contrast, fraud risk manifests itself in different ways. Fraud perpetrated by a customer is generally categorized into two types: (1) third-party fraud; and (2) counter-party fraud. Third-party fraud is defined as fraud perpetrated by a third party who is neither a financial institution nor a customer. For example, when a fraudster (e.g., a third party) steals a checkbook from a customer, both the financial institution (e.g., the primary party) and the customer (e.g., the counterparty) can become victims. In this case, the transactions conducted by the third-party fraudster are unrelated to the customer. Therefore, it is a waste of time, money, and resources when BSA officers are misled by ineffective fraud detection products that assume the customer has already engaged in money laundering (e.g., when there is a change in behavior), simply because the customer is a victim of fraud perpetrated by a third party.

[0074] Counterparty fraud is defined as fraud perpetrated by a client (e.g., a counterparty) who deceives a financial institution (e.g., the principal party). Once the client has successfully deceived the financial institution, the client quickly disappears and the money is not laundered through the financial institution. A fraudster might use financial institution A to launder money that the fraudster has stolen from financial institution B. For financial institution B, this is a fraud case. For financial institution A, this is a money laundering case. However, neither financial institution A nor financial institution B can see both the fraud and money laundering cases occurring with the same client. Clearly, a system designed to detect fraud cases daily would systematically create many false positives for money laundering and actually miss genuine cases. Using this approach increases the workload of BSA officials and exposes financial institutions to unnecessary regulatory risks.

[0075] There are other risks under the third-party fraud category. For example, counterfeit checks, credit card fraud, debit card fraud, ATM fraud, and online fraud are all typical risks under this category. Similarly, there are many different risks under the third-party fraud category, such as bounced checks, deposit fraud, and loan fraud. Therefore, a good transaction risk management system uses multiple detection algorithms that intelligently consider each unique characteristic of various types of fraud to successfully detect it.

[0076] Furthermore, as explained earlier, multiple clients can collude to launder money or finance terrorism by each making a small transaction on different dates, and daily monitoring misses these cases. This leads to the logical conclusion that systems using a single method to detect behavioral changes waste resources and miss genuine money laundering and terrorist financing cases. In one aspect of this disclosure, money laundering and terrorist financing activities are detected using different detection methods based on user-defined scenarios that perform data mining on all transactions accumulated across the entire financial institution over a certain period.

[0077] In one aspect of this disclosure, the computer system uses multiple detection methods to monitor transactions and integrates the detection results into a centralized case management platform. This approach merges and streamlines anti-money laundering, anti-fraud, and anti-financing of crime efforts to improve detection while maintaining a comprehensive and accurate picture at all times. As a result, financial institutions can improve compliance with regulatory requirements, mitigate risks, avoid losses, increase productivity, reduce resources used to manage transaction risks, reduce costs associated with hardware, databases, and software, reduce IT maintenance workload, and increase overall profit margins.

[0078] In one aspect of this disclosure, the computer system includes comparing the transaction patterns of a customer (or a group of customers) with known money laundering transaction patterns to detect suspicious money laundering activity. If a match is found, potential money laundering activity may have been detected.

[0079] For example, many criminals know that if they commit more than [a certain crime] on the same day If $10,000 in cash is deposited into a bank account, the bank must file a Cash Transaction Report (CTR) with the U.S. government. To avoid CTR filings, criminals often break up a large cash deposit into multiple smaller cash deposits, each occurring on a different date and each deposit being less than [amount missing]. 10,000. This transaction pattern, known as "structuring," is a known money laundering transaction pattern, and computer systems can detect this type of transaction pattern. Many other types of transaction patterns are known to be money laundering patterns. Computer systems can be designed to detect each of these known money laundering transaction patterns. As a result, money laundering activity can be detected based on the transaction patterns of one or more suspects, even without any change in behavior.

[0080] In one aspect of this disclosure, BSA officers (or responsible persons) investigate detected cases to determine whether the case is a genuine money laundering case. In another aspect of this disclosure, BSA officers also review all historical cases associated with the suspect(s) in the currently detected case. In one aspect of this disclosure, if BSA officers agree that such transactions are suspicious activity, a computer system assists BSA officers in submitting a SAR to FinCEN. In another aspect of this disclosure, if BSA officers decide not to submit a SAR, the BSA officers enter reasons into the computer system to justify their decision not to report such detected activity.

[0081] In another aspect of this disclosure, a group of customers sharing one or more common risk factors (or characteristics) is compared together to detect suspicious money laundering activities. These risk factors (or characteristics) include business type, business model, organizational structure, size, location, products, services, occupation type, and position. If a customer's trading activities (e.g., trading patterns, volume, frequency, tendency, number of transactions, transaction amount, transaction derivatives, etc.) differ from those of other customers, that customer may have engaged in suspicious money laundering activities. In one aspect of this disclosure, statistics such as mean, variance, and standard deviation of the group of customers are used to facilitate such comparisons. Similarly, if a customer behaves differently from other customers with the same set of risk factors (or characteristics), that customer may have engaged in suspicious money laundering activities. As a result, suspicious money laundering activities can be detected even if there are no behavioral changes in any account.

[0082] Sometimes, comparing a group of customers together is not straightforward. For example, an MSB with 100 branches may have significantly more cash activity than another MSB with only two branches. In one aspect of this disclosure, to achieve more efficient comparisons, it is useful to compare some derivatives (e.g., ratios of several figures) rather than the original raw data. For example, a ratio could be “total cash withdrawals from the bank divided by the total number of checks deposited into the bank.” In this example, the number of deposited checks can be used to measure the size of the MSB’s check cashing business. Therefore, the ratio “total cash withdrawals divided by the total number of checks deposited” is based on check cashing activity, essentially scaling the check cashing business of an MSB with 100 branches to approximately the same level as that of an MSB with only two branches, allowing for comparisons on a more concise basis.

[0083] Many other derivatives can be used to achieve better comparisons. Generally, derivatives used for more effective comparisons may include “the first variable of interest divided by a second variable measuring the size of the enterprise (or business).” Examples of possible derivatives include “total ACH outgoing transaction amount divided by the total number of deposited checks,” “total wire transfer outgoing transaction amount divided by the total number of deposited checks,” “total number of prepaid cards issued divided by the total number of deposited checks,” “total ACH outgoing transaction amount divided by the total number of branches,” “total wire transfer outgoing transaction amount divided by the total number of branches,” “total number of prepaid cards issued divided by the total number of branches,” and so on. In one aspect of this disclosure, other forms of mathematical transformations, in addition to the ratios described above, also create derivatives.

[0084] In one aspect of this disclosure, a computer system compares derivatives of a specific customer with derivatives of a group of customers (e.g., similar types of businesses or professions) that share one or more common risk factors (or characteristics) with that specific customer. If the derivatives of the specific customer deviate significantly from the derivatives of the group of customers, the specific customer may have engaged in suspicious money laundering activities. In one aspect of this disclosure, statistical analyses such as mean, variance, and standard deviation of the group of customers are used to facilitate such comparisons.

[0085] In one aspect of this disclosure, the computer system uses a number of different risk factors to determine the money laundering risk of each client of a financial institution. These risk factors may include, for example, industry, client category, client business type, client geographic region, client country of address, nature of client business, type of business products, type of business services, business structure, client occupation, nationality, history (including compliance records such as the number of cash transaction reports, the number of suspicious activity reports, matching with the OFAC list, matching with the 314(a) list, matching with the list of politically active persons, special designation of compliance items, etc.), type of transactions conducted, account balance, inflows of funds, outflows of funds, transaction patterns, number of transactions, transaction amount, transaction volume, transaction frequency, transaction derivatives, transaction location, transaction time, transaction country, remitter of transfer transactions, remitter location, remitter country, remitter nature, recipient of transfer transactions, recipient location, recipient country, recipient nature, relationship, social status, political exposure, historical transactions, etc. In fact, thousands of risk factors can be considered to determine a client's money laundering risk. For the purposes of this disclosure, "risk factors" are also referred to as "representative elements of the risk dimension" or simply "risk dimension".

[0086] According to various aspects of this disclosure, each attribute of a customer that can influence customer risk is a risk factor. Additionally, each characteristic of a customer that can influence customer risk can be a risk factor. Furthermore, each type of activity of a customer that can influence customer risk is a risk factor. Risk factors may also be affected by other risks, such as a piece of information related to the customer, each type of transaction by the customer, and / or each transaction pattern of the customer. Each risk factor is assigned a risk value.

[0087] In a configuration, each level of the same type of risk is a risk factor and is assigned a risk score. For example, the total amount of cash transactions over a 30-day period can be used to measure the level of risk associated with money laundering. For instance, we can define the level (or degree) of total cash transactions over a 30-day period as starting from... 0 to 5,000, risk score of 10; total cash transaction amount level (or total cash transaction amount severity) from 5,001 to 50,000, risk score of 50; total cash transaction amount level (or total cash transaction amount severity) from 50,001 to 250,000, risk score of 100; total cash transaction amount level (or total cash transaction amount severity) from 250,001 to 1,000,000, risk score of 200; total cash transaction amount level (or total cash transaction amount severity) from 1,000,001 to 10,000,000, with a risk score of 500; and for the total cash transaction amount level (or total cash transaction amount grade) of... For amounts of 10,000,000 and above, the risk score is 1,000. In this example, there are [cases] during a 30-day period. People with a total cash transaction amount of 60,000 were categorized as "in 50,001 and Amounts between 250,000 and 100% risk score.

[0088] The term "cash transaction amount" is used for illustrative purposes only. Other considerations, such as the quantity of cash transactions and the growth rate of cash transactions, can also be used to measure the level of risk associated with money laundering. In addition to cash, other financial transactions such as checks, wire transfers, ATMs, ACH, virtual currencies, virtual securities, virtual notes, credit cards, debit cards, prepaid cards, financial instruments, and bank transfers can also be used to measure the level of risk associated with money laundering. Those skilled in the art can easily identify numerous risk factors based on the examples above.

[0089] In one aspect of this disclosure, the risk score-based scenario is based on customer data. Each piece of information about a customer is a risk factor and is assigned a risk score. Additionally or alternatively, the risk score-based scenario is based on transaction data. Each amount level (e.g., amount scale) of a certain type of transaction is a risk factor and is assigned a risk score.

[0090] In one aspect of this disclosure, customer data is associated with one or more of the following: customer's industry category, customer's business type, customer's geographic region, customer's country of address, customer's business nature, business product type, business service type, business structure, customer's occupation, customer's nationality, historical records, type of transactions, account balance, cash inflows, cash outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, transaction location, transaction time, transaction country, remitter of transfer transactions, remitter's location, remitter's country, remitter's nature, recipient of transfer transactions, recipient's location, recipient's country, recipient's nature, relationship, social status, political exposure, historical transactions, number of Suspicious Activity Reports (SARs) filed against money laundering and terrorist financing, category of the primary financial institution, type of the primary financial institution, geographic region of the primary financial institution, country of the primary financial institution's headquarters, business nature of the primary financial institution, age of the person, gender of the person, income level of the person, appearance of the person, judgment of the person, personal circumstances of the person, etc. Family situation, family members, family member status, friends, friends status, history, industry category, geographic region, country of address, occupation, type of work, education level, income level, length of service in current job, performance appraisal records, work history, duration of each job in work history, reason for termination of each job in work history, age, gender, personal situation, family situation, family members, family member status, friends status, history, type of work performed, number of transactions performed, transaction amount, maximum transaction amount, number of transactions with a specific counterparty, transaction amount with a specific counterparty, number of key record changes, number of key record changes associated with a specific counterparty, geographic region of employee's home, geographic region of employee's office, country of address, customer due diligence results, length of account history, number of transactions matching the name of a gambling organization, or combinations thereof.

[0091] In one aspect of this disclosure, transaction data is associated with one or more of the following: cash, checks, wire transfers, ATMs (automatic teller machines), ACH (automated clearinghouses), virtual currencies, virtual securities, virtual notes, credit cards, debit cards, prepaid cards, electronic funds transfers, wire transfers, financial instruments, letters of credit, banknotes, securities, commercial paper, commodities, precious metals, account opening, account closing, account applications, deposits, withdrawals, cancellations, balance checks, inquiries, crediting, debiting, or combinations thereof.

[0092] In one aspect of this disclosure, each risk factor is assigned a risk score, and a customer is assigned a total risk score, which is the sum of the risk scores of all risk factors associated with that customer. This process of generating a total risk score for each customer may be referred to as risk scoring. This total risk score is used to determine the level of risk associated with that customer. Summation is used as an example in this disclosure. In fact, many other types of mathematical transformations can be used to achieve similar effects.

[0093] In one aspect of this disclosure, each risk factor is assigned a risk score, and a customer is assigned a total risk score, which is a value derived from a mathematical transformation of all risk scores of the risk factors associated with that customer.

[0094] As explained earlier, unlike in cases of fraud, higher-risk clients may not be suspected of money laundering or terrorist financing. The high-risk aspect may simply reflect the nature of the client. For example, MSBs, pawnshops, car dealerships, pilots, and flight attendants are often classified as higher-risk clients for anti-money laundering and counter-terrorism financing purposes; however, this does not necessarily mean that these clients are engaged in money laundering or terrorist financing.

[0095] However, because a customer has a high risk score, that customer can be closely monitored, and different monitoring methods can be applied. Therefore, in one aspect of this disclosure, the customer's total risk score is used to determine the monitoring method to be applied to monitor that customer. If the customer's total risk score is high, a more intensive monitoring method is applied. If the customer's total risk score is low, a more lenient monitoring method is applied.

[0096] In other words, in one aspect of this disclosure, a customer's total risk score is not used to determine whether the customer is suspicious. Instead, the customer's total risk score is used to select an algorithm or set of algorithms for monitoring that customer.

[0097] Sometimes, customers with very high risk scores may be suspicious. Therefore, in one aspect of this disclosure, if a customer's total risk score exceeds a predefined value, an alert will be triggered regarding that customer, allowing investigators to investigate the potential case. The predefined value can be set by software modules, system designers, system regulators, system users, or a combination thereof.

[0098] In one aspect of this disclosure, a group of customers with the same risk factors can be compared together. For example, we can compare all customers who are flight attendants together. In one aspect of this disclosure, if a particular flight attendant's total risk score is significantly higher than a reference value derived from the total risk scores of all flight attendants, that particular flight attendant may have engaged in some suspicious money laundering activities. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values.

[0099] Statistical methods can also be applied to facilitate the detection of suspicious activity. For example, the mean, variance, and standard deviation can be derived from the total risk scores of all customers who are flight attendants. In one aspect of this disclosure, if a particular flight attendant's total risk score is more than four times the standard deviation above the mean of the total risk scores of all flight attendants, that particular flight attendant may have engaged in suspicious activity.

[0100] The "4 times" mentioned above is merely an example. The number "4" can be any number, such as 3.75, 4.21, 10, etc. In one aspect of this disclosure, if a particular flight attendant's total risk score is more than x times the standard deviation of the average total risk scores of all flight attendants, then that particular flight attendant may have engaged in suspicious money laundering activities, where x is a number assigned by a BSA officer (or head). This statistical method can be applied whenever group comparisons are used.

[0101] Flight attendants are merely one example used to illustrate a method for detecting suspicious money laundering activity among a set of entities. In practice, many other risk factors can be used for similar purposes. Because tens of thousands of risk factors exist, in one aspect of this disclosure, the computer system allows the user to select any risk factor to identify all customers with the same risk factor. In one aspect of this disclosure, if a particular customer has a total risk fan that is significantly higher than a reference value derived from the total risk score of other customers with the same risk factor, then that particular customer may have engaged in suspicious money laundering activity. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values.

[0102] Instead of a single risk factor, a set of risk factors can be used. In fact, a set of risk factors can improve the accuracy of detection results. For example, in addition to the risk factor of occupation (e.g., flight attendant), the destination country of the flights the flight attendant works on can be another useful risk factor for detecting money laundering risks. For instance, a flight attendant working on a flight between New York and Chicago may have different activities than another flight attendant working on a flight between Miami and Mexico City. Comparing a subgroup of flight attendants working on a flight between Miami and Mexico City may be more accurate. In this example, both occupation and the destination city of the flights are considered as risk factors to improve the accuracy of the detection.

[0103] In one aspect of this disclosure, a set of risk factors is used to identify a group of entities. If a particular entity has a significantly higher total risk score than a reference value derived from the total risk scores of all entities with the same set of risk factors, that particular entity may have engaged in suspicious money laundering activities. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. To simplify calculations, standard set statistics (such as mean, variance, standard deviation, etc.) that can be easily calculated using existing software development tools can be derived to facilitate such comparisons between a group of entities. As a result, a computer system can detect suspicious money laundering activities based on the methods described above, even if there is no behavioral change in any account.

[0104] Sometimes, it can be helpful to exclude certain entities from the group comparison process because such entities are very different from the others. In one aspect of this disclosure, a computer system allows a user to select certain entities that will not be included in the group comparison process.

[0105] Detecting flight attendants as having suspicious money laundering activities is just one example. Similar methods can be applied to many other different situations. For example, it is often very difficult for banks or credit unions to detect money services business (MSB) clients as having suspicious money laundering activities or financing terrorist activities because MSBs have many transactions every day, and a money laundering transaction can be hidden among many other normal transactions.

[0106] In one aspect of this disclosure, additional risk factors (e.g., proximity to the Mexican border) are used to identify a group of MSBs sharing the same set of risk factors, in addition to the primary risk factor—business type. If a particular MSB has a risk score higher than a reference value derived from the total risk score of all MSBs sharing the same set of risk factors, that particular MSB may have been involved in suspected money laundering activities. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. Similarly, standard group statistics (such as mean, variance, standard deviation, etc.) can be derived to facilitate such comparisons between a group of MSBs.

[0107] Sometimes, comparing a group of MSBs is not easy because they may have different types of businesses and different sizes. In one aspect of this disclosure, part-time and full-time MSBs are given two different risk factors because they may have different business characteristics. In another aspect of this disclosure, each of the different types of MSB products and / or services is given a risk factor. For example, each of transfers, check cashing, currency exchange, prepaid card management, etc., is given a risk factor, even though they can all be provided by the same MSB. In one aspect of this disclosure, a set of risk factors that precisely defines the type of product and / or service is used to identify risks.

[0108] In one aspect of this disclosure, adjusting certain risk factors based on business size makes group comparisons more effective. For example, the total cash transaction amount of an MSB with 50 branches can naturally be five times that of another MSB with 10 branches. Sometimes, for group comparisons, risk factors affected by business size can be adjusted to take business size into account. For example, for an MSB with 50 branches, its total cash transaction amount over 30 days can be divided by 50 to establish adjusted risk factors and risk scores for group comparisons. Branches are used here as an example to measure business size. Other information such as the number of customers, transaction volume, number of employees, and asset size can also be used to measure business size.

[0109] In one aspect of this disclosure, a risk factor set adjusted for business size (e.g., adjusted risk factors) is used to identify a group of entities having that adjusted risk factor set. The risk score of the adjusted risk factors is referred to as the adjusted risk score. If a particular entity has a significantly higher total adjusted risk score than a reference value derived from the total adjusted risk scores of all entities having the same set of adjusted risk factors, that particular entity may have engaged in suspicious money laundering activities. Reference values ​​include mean, median, average, mode, weighted average, and / or other statistical values. Generally, in one aspect of this disclosure, the detection algorithm that includes risk factors in the detection algorithm can also be modified to include adjusted risk factors in the detection algorithm. The detection algorithm that includes risk scores in the detection algorithm can also be modified to include adjusted risk scores in the detection algorithm.

[0110] To simplify calculations, standardized group statistics (such as mean, variance, standard deviation, etc.) based on adjusted risk factors and adjusted risk scores can be derived to facilitate such comparisons between a group of entities. As a result, even if there are no behavioral changes in any account, the computer system can still detect suspicious money laundering activities based on the methods described above.

[0111] Because MSBs can have different transaction activities than other types of businesses, monitoring MSBs based on their unique transaction activities is more effective. Therefore, in one aspect of this disclosure, different sets of detection algorithms can be used to monitor entities with different sets of risk factors. In one aspect of this disclosure, the risk factor set is used to identify a group of entities possessing that risk factor set, and a specific set of detection algorithms can be used to detect suspicious money laundering activities within that group of entities. In other words, a set of detection algorithms is selected to monitor that group of entities based on the risk factor set associated with it.

[0112] In another aspect of this disclosure, a risk factor set is adjusted based on the scale of the business, and this risk factor set is used to identify a group of entities sharing the adjusted risk factor set, while a specific set of detection algorithms is used to detect suspicious money laundering activities within that group of entities. In other words, a set of detection algorithms is selected to monitor that group of entities based on the adjusted risk factor set associated with them.

[0113] Sometimes, it makes sense to monitor higher-risk entities more closely than to monitor lower-risk entities. Therefore, different sets of detection algorithms are used to monitor different entities with different risk levels. In one aspect of this disclosure, the set of detection algorithms is selected to monitor the entity based on its total risk score. In another aspect of this disclosure, the set of detection algorithms is selected to monitor the entity based on its total adjusted risk score, wherein the total adjusted risk score is obtained from the risk scores of adjusted risk factors.

[0114] In one aspect of this disclosure, once an MSB is detected as potentially involved in money laundering activity, the computer system can identify transactions (or a group of transactions) that give the detected MSB a higher total risk score than a reference value derived from the total risk score of all MSBs. Reference values ​​include mean, median, average, mode, weighted average, and / or other statistical values.

[0115] Similarly, once an MSB is detected as potentially involved in money laundering activity, the computer system identifies transactions (or a group of transactions) that give the detected MSB a higher total adjusted risk score than a reference value derived from the total adjusted risk score of all MSBs. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. As a result, money laundering transactions (or a group of money laundering transactions) can be identified using this method. This method for identifying specific transactions (or a group of transactions) with higher risk scores (or higher adjusted risk scores) can be used for other types of clients, not just MSBs.

[0116] In a conventional sense, a higher risk score implies higher risk. However, there are no rules prohibiting individuals or businesses from defining a lower risk score for higher risk. To avoid confusion, the descriptions in this disclosure are based on the convention that a higher risk score implies higher risk. Furthermore, risk scores can be negative. Based on this convention, a negative risk score implies reduced risk.

[0117] As mentioned above, MSB is just one example. Other types of businesses, such as pawnshops, car dealerships, etc., can be monitored in a similar manner. As a result, even if there are no behavioral changes in any account, suspicious money laundering activities can be detected using various methods, including risk factors, risk scores, adjusted risk factors, adjusted risk scores, total risk scores, and total adjusted risk scores.

[0118] In fact, government or non-governmental organizations such as the OCC, FDIC, FRB, NCUA, FinCEN, SEC, and FINRA can monitor financial institutions, such as banks, credit unions, insurance companies, and stockbrokers, using methods similar to those described above for monitoring MSBs. For this monitoring purpose, different risk factors, risk scores, adjusted risk factors, and adjusted risk scores can be defined.

[0119] In one aspect of this disclosure, the computer system uses numerous different risk factors to determine whether a financial institution complies with regulatory requirements to submit SARs (Special Reports) to report money laundering and terrorist financing cases. These risk factors may include, for example, the number of SARs submitted for money laundering and terrorist financing cases, the type of financial institution, the type of enterprise of the financial institution, the geographic region of the financial institution, the country of the financial institution's headquarters, the nature of the financial institution's enterprise, the type of products the enterprise offers, the type of services the enterprise provides, the enterprise structure, the financial institution's customer profile, historical records, the type of transactions conducted, fund inflows, fund outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, transaction location, transaction time, transaction country, the remitter of the transfer transaction, the remitter's location, the remitter's country, the nature of the remitter, the recipient of the transfer transaction, the recipient's location, the recipient's country, the nature of the recipient, relationships, the customer's social status, the customer's political exposure, the remitter's political exposure, the recipient's political exposure, historical transactions, etc. In fact, thousands of risk factors can be considered to determine the compliance risk of a financial institution.

[0120] In one aspect of this disclosure, the number of branches is used to adjust risk factors and risk scores. In another aspect of this disclosure, asset size is used to adjust risk factors and risk scores. Many other factors may also be used to adjust risk factors and risk scores. In this current example, the risk factor "number of SARs submitted" may have a negative value because the more SARs a financial institution submits, the less likely it is to fail to submit SARs.

[0121] In one aspect of this disclosure, a risk factor set is adjusted based on business size, and this risk factor set is used to identify a group of banks having the adjusted risk factor set. If a particular bank has a significantly higher total adjusted risk dispersion than a reference value derived from the total adjusted risk scores of all banks having the same adjusted risk factor set, that particular bank may not be fulfilling its compliance obligations to detect and report suspected money laundering and / or terrorist financing activities. Reference values ​​include mean, median, average, mode, weighted average, and / or other statistical values. To simplify calculations, standard group statistics (such as mean, variance, standard deviation, etc.) can be derived to facilitate such comparisons between a group of entities.

[0122] Furthermore, different detection algorithms can be used to monitor different banks with different sets of risk factors. In one aspect of this disclosure, a risk factor set is used to identify a group of banks that have that risk factor set, and a specific set of detection algorithms is used to detect potential negligence by that group of banks in compliance matters. Therefore, in one aspect of this disclosure, a set of detection algorithms is selected for monitoring that group of banks based on the risk factor set associated with it.

[0123] In another aspect of this disclosure, a risk factor set is adjusted based on the size of the business, and this risk factor set is used to identify a group of banks with the adjusted risk factor set, and a specific set of detection algorithms is used to detect potential negligence by this group of banks in compliance matters. In other words, a set of detection algorithms is selected to monitor this group of banks based on the adjusted risk factor set associated with them.

[0124] Although banks were used in the examples above, the same set of methods can be used to monitor credit unions, stockbrokers, insurance companies, other financial institutions, and other types of businesses. Furthermore, the scope of monitoring is not limited to compliance with anti-money laundering and counter-terrorism financing matters. In fact, all types of matters concerning all types of businesses can be monitored by the methods described in this disclosure by appropriately defining risk factors, risk scores, adjusted risk factors, adjusted risk scores, and detection algorithms associated with such matters.

[0125] MSBs also face pressure from numerous laws and regulations. However, unlike banks or credit unions, MSBs don't truly know who their clients are. A typical MSB provides monetary services to any client who walks into its office. Even if an MSB collects identity information from all its clients, it may still be unable to properly identify money laundering activities. For example, it's possible for a client to use their Mexican passport in the morning to make a cash payment to an MSB. A $7,000 transfer transaction, and in the afternoon, he used his California driver's license to make another transaction by paying the same amount in MSB cash. The $8,000 transfer transaction. Because two identity documents were used, the same customer may be considered two different people. MSB may be unable to file a cash transaction report as required by law because the same customer has provided more than [amount missing]. 10,000 in cash. If the MSB has multiple branches, the situation becomes even more complicated, as the same customer can walk into different branches to conduct transactions based on different identity documents.

[0126] In one aspect of this disclosure, the computer system compares the names, telephone numbers, addresses, dates of birth, etc., of all customers who transact with the MSB to identify all transactions that may have been made by the same customer. After identifying all transactions associated with a customer, the computer system can detect suspicious money laundering activities associated with that customer based on the transactions associated with that customer.

[0127] In one aspect of this disclosure, BSA officers (e.g., personnel assigned to investigative missions) investigate detected cases to determine whether the case is a genuine money laundering case. BSA officers also review all historical cases associated with the client of the newly detected case. If the BSA officer agrees that the detected case is a suspected money laundering case, a computer system assists the BSA officer in submitting a SAR to FinCEN. If the BSA officer decides not to submit a SAR, the BSA officer enters the reasons into the computer system to justify their decision not to report the detected case.

[0128] Sometimes, because corresponding bank A and corresponding bank B do not have a direct banking relationship, a bank receives a wire transfer from a client of corresponding bank A and then re-transfers the transfer to another client of corresponding bank B. This often happens during international wire transfers because banks in two different countries may not have a direct banking relationship. This type of wire transfer is usually called an intermediary wire transfer.

[0129] Banks providing intermediary wire transfer services are exposed to very high money laundering risks because neither the remitter nor the recipient of the transfer is a client of the bank. Furthermore, the bank may not know the true background of the remitter and recipient. It is possible for the remitter to be a terrorist financier and the recipient to be a terrorist. Banks handling intermediary wire transfer services may inadvertently become conduits for money laundering and terrorist financing.

[0130] In one configuration of this disclosure, the computer system compares the names, addresses, countries, telephone numbers, email addresses, etc., of all remitters and recipients of intermediary wire transfers and identifies transactions associated with each remitter and each recipient. In one aspect of this disclosure, if the computer system detects an unusually large number of wire transfers from the same remitter, the remitter and recipient may be involved in money laundering or terrorist financing activities. If the computer system detects an unusually large total amount of wire transfers from the same remitter, the remitter and recipient may be involved in money laundering activities.

[0131] Similarly, if a computer system detects unusually large wire transfers to the same recipient, the recipient may be involved in money laundering or terrorist financing activities. If a computer system detects unusually large total wire transfer amounts to the same recipient, both the sender and recipient may be involved in money laundering activities.

[0132] If a computer system detects an unusually large amount of wire transfers from the same remitter to the same recipient, both the remitter and the recipient may be involved in money laundering or terrorist financing activities. Similarly, if a computer system detects an unusually large total amount of wire transfers from the same remitter to the same recipient, both the remitter and the recipient may be involved in money laundering or terrorist financing activities.

[0133] In one aspect of this disclosure, BSA officers investigate such detected cases to determine whether the case is a genuine money laundering case. BSA officers also review all historical cases associated with suspects in newly detected cases. If BSA officers agree that suspicious money laundering activity exists, a computer system assists BSA officers in submitting a SAR to FinCEN. If BSA officers decide not to submit a SAR, they enter reasons into the computer system to justify their decision not to report such detected activity.

[0134] With a large percentage of the population rapidly aging, some states have recently enacted Elder Abuse Reporting Acts (EARAs) to protect seniors who are unable to protect themselves. Often, seniors may hand over money to perpetrators because they have been deceived. Therefore, financial institutions are training frontline staff to identify and report potential cases of elder abuse. However, this human-based approach is ineffective because transactions can be conducted remotely, and perpetrators can cleverly conceal their activities. Furthermore, human staff are prone to errors and mistakes. Relying on human workers to detect and report elder abuse is not efficient.

[0135] For many businesses, their customers' birth date information is stored in a database. In one aspect of this disclosure, a computer system collects birth date information and identifies elderly individuals older than a predefined age. The computer system monitors all transactions of these elderly individuals and detects any changes in their activities.

[0136] For example, if an unusually large sum of money is transferred from an elderly person's account, the financial institution may want to investigate the purpose of the transfer. In one aspect of this disclosure, if an unusually large check is deposited into an elderly person's account, the financial institution may want to investigate whether the elderly person was given a counterfeit check in exchange for real money or assets. If there are unusual transaction patterns (e.g., unusual frequency or volume) in an elderly person's account, the financial institution may want to investigate multiple transactions. If an elderly person's account balance is rapidly decreasing, the financial institution may want to investigate transactions associated with that account.

[0137] In one aspect of this disclosure, the previously described risk factors, risk scores, adjusted risk factors, adjusted risk scores, total risk scores, total adjusted risk scores, statistical methods, and selection of detection algorithms can be applied to detect potential cases of elder abuse. Because elder abuse differs from money laundering, different sets of risk factors and risk scores can be used for elder abuse detection. For example, these risk factors may include: the person's age, gender, income level, appearance, judgment of the person, personal circumstances, family situation, family members, family member status, friends, friends' status, historical records, industry, geographic region, country of address, occupation, nationality, type of transactions, account balance, cash inflows, cash outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, transaction location, transaction time, transaction country, remitter, remitter's location, remitter's country, remitter's nature, recipient, recipient's location, recipient's country, recipient's nature, relationship, social status, political exposure, and historical transactions. In fact, thousands of risk factors can be considered to determine someone's risk of elder abuse.

[0138] For example, in one aspect of this disclosure, risk factors are used to identify a group of elderly people sharing the same risk factors. If a particular elderly person has a total risk dispersion higher than a reference value derived from the total risk score of all elderly people sharing the same risk factors, that particular elderly person may be a potential victim of elder abuse. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. In another aspect of this disclosure, a set of risk factors is used to identify a group of elderly people sharing that set of risk factors. If a particular elderly person has a total risk dispersion higher than a reference value derived from the total risk score of all elderly people sharing the same set of risk factors, that particular elderly person may be a potential victim of elder abuse. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values.

[0139] To simplify calculations, standard group statistics (such as mean, variance, standard deviation, etc.) can be derived to facilitate such comparisons between a group of entities. As a result, even if there are no behavioral changes in the account, the computer system can still detect potential cases of elder abuse based on the methods described above.

[0140] Often, companies may have a compliance officer responsible for all regulatory compliance matters. In one aspect of this disclosure, investigators (e.g., compliance officers) investigate detected cases to determine if actual elder abuse has occurred. The compliance officer also reviews all historical cases associated with the elder in the newly detected case. If the compliance officer agrees that the case may be elder abuse, a computer system assists the compliance officer in reporting the detected case. If the compliance officer decides not to report the detected case, the compliance officer enters reasons into the computer system to justify their decision not to report the detected case.

[0141] Under the Sarbanes-Oxley Act (SOX), certain companies (e.g., publicly traded companies) are required to implement internal control oversight to prevent employee fraud. Traditionally, such oversight has been performed by human workers (e.g., auditors) who spend several months each year auditing a company's financial records. This human-based approach is ineffective because human workers are prone to errors and mistakes. Furthermore, because auditing financial records is so time-consuming, crime prevention may be delayed.

[0142] In one aspect of this disclosure, the computer system monitors general ledger items and detects any unusual patterns (e.g., unusual frequency, amount, growth rate, etc.) related to the general ledger items to identify suspicious internal fraudulent activities. For example, if the travel expense general ledger item suddenly increases by 500% this month compared to the past twelve months, some employees may have abused their rights and caused the unusual expense.

[0143] In one aspect of this disclosure, the computer system compares the current value of a general ledger item with a reference value derived from historical values ​​of the same general ledger item over the past x months, where the value x is predefined. If the current value differs significantly from the reference value, some employees may have committed fraud. References include the mean, median, average, mode, weighted average, and / or other statistical values. Further investigation can be conducted to determine why the general ledger item value deviates from its historical value.

[0144] In another aspect of this disclosure, the computer system compares an employee's current activity with their historical activity to detect any changes. For example, if a loan officer issues an unusually large number of loans each month compared to historical monthly figures, that loan officer's activity may be suspicious. Similarly, if a loan officer issues loans with an unusually large amount compared to historical monthly totals, that loan officer's activity may be suspicious.

[0145] Often, activity can be measured by values ​​known as activity values. For example, a loan officer's activity can be measured by: number of loans, maximum loan amount, total loan amount, average loan amount per transaction, number of loans to the same customer, number of changes in loan records, frequency of changes in loan records for the same customer, loan type, etc. A bank teller's activity can be measured by: total number of transactions, total transaction amount, maximum transaction amount, average transaction amount per transaction, transaction type, number of customers who have business with the teller, average number of transactions per customer, number of transactions with the same customer, number of changes in customer records, frequency of changes in customer records for the same customer, frequency of changes in customer records, etc. In one aspect of this disclosure, the computer system compares the current value of an activity with a reference value derived from historical values ​​of the same activity. When the current value is significantly larger than the reference value, the person performing the activity may have committed fraud. Further investigation can be conducted to determine whether the person actually committed fraud. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values.

[0146] In one aspect of this disclosure, the computer system compares an employee's activities with those of other employees in the same organization who have the same responsibilities. For example, if a teller (or loan officer, etc.) behaves very differently from other tellers (or loan officers, etc.) in the same branch, that teller (or loan officer, etc.) may have engaged in some suspicious activities.

[0147] In one aspect of this disclosure, the computer system compares the activity value of a specific employee with a reference value derived from the activity values ​​of all employees performing the same activities as that specific employee. When the activity value of that specific employee deviates significantly from the reference value, that specific employee may have committed fraud. Further investigation can be conducted to determine whether the employee actually committed fraud. The reference value includes the mean, median, average, mode, weighted average, and / or other statistical values.

[0148] When comparing an employee to a group of employees, the statistical methods used in the previously described example of flight attendants can be applied. For example, a comprehensive set of risk factors associated with an employee can be identified, and a risk score can be assigned to each risk factor. As a result, each employee has a total risk score obtained from a mathematical transformation (e.g., summation) of all the risk scores associated with that employee.

[0149] The set of risk factors used to detect employee-related fraud may differ from the set of risk factors used to detect other types of suspicious activity, such as money laundering. For example, risk factors used to detect employee fraud may include: the employee's job type, education level, income level, length of service at current job, performance appraisal records, work history, duration of each job in the work history, reason for termination of each job in the work history, age, gender, personal circumstances, family situation, family members, family member circumstances, friend circumstances, employee history, type of work performed, number of transactions performed, transaction amount, maximum transaction amount, number of transactions with a specific counterparty, and other relevant information. The risk factors include the transaction amount, the number of changes in key records, the number of changes in key records associated with a specific counterparty, the geographical location of the employee's home, the geographical area of ​​the employee's office, the country of the employee's address, nationality, type of transactions, account balance, fund inflows, fund outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, transaction location, transaction time, transaction country, remitter of transfer transactions, remitter's location, remitter's country, remitter's nature, recipient of transfer transactions, recipient's location, recipient's country, recipient's nature, relationship, social status, political exposure, and historical transactions. In fact, numerous risk factors can be considered to determine employee fraud risk. In one aspect of this disclosure, different sets of risk factors can be used to detect different types of suspicious activity.

[0150] In one aspect of this disclosure, when a particular employee's total risk score is significantly higher than the average of the total risk scores of all employees with the same risk factors as that particular employee, that particular employee may have engaged in suspicious activity. This significant difference can be set based on multiple standard deviations or other reference values.

[0151] Multiple risk factors can be used instead of a single risk factor to improve the accuracy of detection results. In one aspect of this disclosure, if a particular employee's total risk score is significantly higher than the average of the total risk scores of all employees with the same set of risk factors as that particular employee, then that particular employee may have engaged in some suspicious activity. In one example, this significant difference is set based on multiple standard deviations or other reference values.

[0152] In fact, by identifying risk factors associated with a set of entities and appropriately assigning risk scores to each risk factor, the statistical method of identifying suspicious activities of a particular entity based on the total risk score of each entity can be applied to many other situations besides money laundering, terrorist financing, and employee fraud.

[0153] In one aspect of this disclosure, numerous risk factors are associated with a set of entities. A risk score can be assigned to each of the risk factors. A total risk score can be given to each entity based on mathematical transformations such as summation. Other possible mathematical transformations include, but are not limited to: multiplication, division and subtraction, sum of squares, square of sums, combinations of the above methods, and other similar methods for combining risk scores.

[0154] In one aspect of this disclosure, when the total risk score of a particular entity is higher than the average of the total risk scores of all entities having the same risk factors as that particular entity by a predefined amount, that particular entity may have engaged in some suspicious activity. This predefined amount can be set based on multiple standard deviations or other reference values.

[0155] In another aspect of this disclosure, if the total risk score of a particular entity is higher than the average of the total risk scores of all entities having the same set of risk factors as that particular entity by a predefined difference, then that particular entity may have engaged in some suspicious activities.

[0156] In one aspect of this disclosure, a computer system identifies a transaction (or set of transactions) that has resulted in a particular entity having a higher total risk dispersion than the average of the total risk scores of all entities. Such a transaction (or set of transactions) may be suspicious activity.

[0157] The statistical methods described are just one approach to managing risk. Many other group comparison methods can also be used. Furthermore, suspicious activity may not be limited to illegal or prohibited activities. An activity becomes suspicious because it differs from normal activity. The activity may be harmless or even well-intentioned. Therefore, investigation is often required to make a final determination on whether to report detected cases.

[0158] In one aspect of this disclosure, the supervisor investigates newly detected cases to determine whether the case is illegal. The supervisor also reviews all historical cases associated with the suspect(s) in the newly detected case. When the supervisor agrees that a detected case is illegal, the computer system assists the supervisor in reporting the detected case. When the supervisor decides not to report a detected case, the supervisor enters reasons into the computer system to justify their decision not to report the detected case.

[0159] The U.S. Congress passed the Illegal Internet Gambling Enforcement Act (UIGEA) because online gambling can be used as a tool for money laundering and terrorist financing. In response to the Illegal Internet Gambling Enforcement Act, the GG Regulation was created. Under the GG Regulation, financial institutions are required to ask new customers questions during the account opening process regarding whether they will engage in any online gambling activities. Because criminals know that online gambling is illegal, they will lie during the account opening process. As a result, the "asking questions" method defined in the GG Regulation is merely a formality. However, the GG Regulation explicitly states that it does not modify the obligation of financial institutions to file SARs under the Bank Secrecy Act.

[0160] In other words, if a criminal lies during the account opening process and actually engages in illegal online gambling, the financial institution reports the case to FinCEN via SAR. In one aspect of this disclosure, the computer system compares the senders and recipients of all fund transfer transactions over a period of time. If a customer sends large sums of money to a recipient and also receives large sums of money from the same recipient over a period of time, such transactions may represent deposits of bet funds and payments of winnings from gambling activities between online gamblers and online gambling organizations. The computer system detects such cases as potential illegal online gambling offenses. Once a case is detected, further investigation is required.

[0161] In one aspect of this disclosure, when a computer system detects a large volume of transactions involving large sums of US dollars associated with a customer, the computer system identifies the customer as a potential online gambling organization, as online gambling organizations typically handle large sums of money and a large number of clients. The computer system detects such cases as potential illegal online gambling activities. Once a case is detected, further investigation is required.

[0162] In one aspect of this disclosure, the computer system compares a list of known names of online gambling organizations with the senders and recipients of money transfer transactions associated with customers. If a match is found, the customer may be involved in online gambling activities. The computer system detects this case as a possible illegal online gambling case. Once a case is detected, further investigation is required.

[0163] In addition to monitoring the transaction patterns mentioned above, the previously described group comparison method can also be applied to detect potential illegal online gambling activities. In one aspect of this disclosure, all risk factors associated with online gambling are identified. These risk factors may include, for example: the results of customer due diligence, the length of the account history, the customer's industry category, the customer's business type, the number of names matching gambling organizations in transactions, the customer's geographic region, the country of the customer's headquarters, the nature of the customer's business, the type of products the business produces, the type of services the business provides, the business structure, the customer's occupation, nationality, historical records, the type of transactions conducted, account balance, fund inflows, fund outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, refund amount, transaction location, transaction time, transaction country, remitter of transfer transactions, remitter location, remitter country, remitter nature, recipient of transfer transactions, recipient location, recipient country, recipient nature, relationship, social status, political exposure, historical transactions, etc. In fact, many different risk factors can be considered to determine the risks of online gambling. As previously explained in this disclosure, adjusted risk factors may also be used, allowing adjusted risk scores to be applied based on the size of the business.

[0164] In one aspect of this disclosure, risk factors are used to identify a group of customers sharing the same risk factors. A particular customer may be involved in illegal online gambling if they have a higher total risk score than a reference value derived from the total risk scores of all customers sharing the same risk factors. In another aspect of this disclosure, a set of risk factors is used to identify a group of customers sharing that set of risk factors. If a particular customer has a higher total risk score than a reference value derived from the total risk scores of all customers sharing the same set of risk factors, the particular customer may be involved in illegal online gambling. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. To simplify calculations, standard group statistics (such as mean, variance, standard deviation, etc.) can be derived to facilitate comparisons among a group of customers.

[0165] In one aspect of this disclosure, the responsible party (or BSA officer) investigates a detected case to determine whether it is a genuine online gambling case. The BSA officer also reviews all historical cases associated with the suspect in the newly detected case. When the BSA officer agrees that the detected case is a possible illegal online gambling case, a computer system assists the BSA officer in submitting a SAR to FinCEN. When the BSA officer decides not to submit a SAR, the BSA officer enters the reasons into the computer system to justify their decision not to report the detected case.

[0166] The U.S. Congress has passed the Fair and Accurate Credit Transactions Act (FACT) to protect customers. Specifically, it expects businesses to identify and report identity theft cases. When an identity theft case is detected, financial institutions are also expected to file a Special Action Notice (SAR).

[0167] In one aspect of this disclosure, the computer system monitors customer reports and other available information to detect fraud or active duty alerts included in customer reports, credit freeze notices, and / or address mismatch notices. If a suspicious case of activity is detected, the computer system makes the detected case available for review by the responsible person.

[0168] In one aspect of this disclosure, the computer system monitors customer reports and available information to detect customer reports indicating activity patterns inconsistent with the applicant's or customer's historical and usual activity patterns. For example, a recent and significant increase in inquiry volume, an unusual number of recently established credit relationships, significant changes in credit usage, especially significant changes in credit usage related to recently established credit relationships, or accounts closed by financial institutions or creditors for abuse of account privileges or identified as such may represent unusual patterns. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0169] In one aspect of this disclosure, the computer system detects whether documents provided for identification appear to have been altered or forged. If a suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0170] In one aspect of this disclosure, the computer system detects whether the photograph or body description on the identification document does not match the appearance of the applicant or customer presenting the identification document. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0171] In one aspect of this disclosure, the computer system detects whether other information on the identity document is inconsistent with information provided by the person opening a new account or presenting identity documents. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0172] In one aspect of this disclosure, the computer system detects whether other information on the identification document is inconsistent with easily accessible information (such as signature cards or recent checks) archived by financial institutions or creditors. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0173] In one aspect of this disclosure, the computer system detects whether an application appears to have been altered or forged, or whether it presents an appearance that has been damaged and reassembled. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0174] In one aspect of this disclosure, the computer system determines whether the personally identifiable information provided is inconsistent with external information sources used by financial institutions or creditors. For example, the address may not match any address reported by the customer, or the Social Security Number (SSN) may not have been issued or listed in the Social Security Administration's DeathMaster File. If a suspicious case of activity is detected, the computer system makes the detected case available for review by the responsible person.

[0175] In one aspect of this disclosure, the computer system determines whether some personally identifiable information provided by a customer is inconsistent with other personally identifiable information provided by the customer. For example, there may be a lack of correlation between SSN ranges and dates of birth. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0176] In one aspect of this disclosure, the computer system determines whether the personally identifiable information provided is associated with known fraudulent activity indicated by an internal or third-party source used by a financial institution or creditor. For example, the address on the application may be the same as the address provided on a fraudulent application; or the telephone number on the application may be the same as the number provided on a fraudulent application. If a suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0177] In one aspect of this disclosure, the computer system determines whether the personally identifiable information provided is of the type typically associated with fraudulent activity directed by an internal or third-party source used by a financial institution or creditor. For example, the address on the application may be fictitious, a mailbox, or a jail; or the telephone number may be invalid or associated with a pager or answering service. If a suspicious case of activity is detected, the computer system makes the detected case available for review by the responsible person.

[0178] In one aspect of this disclosure, the computer system determines whether the provided Social Insurance Number is the same as a Social Insurance Number submitted by another account holder or other customer. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0179] In one aspect of this disclosure, the computer system determines whether the provided address or telephone number is the same as or similar to an account or telephone number submitted by an unusually large number of other account holders or other customers. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0180] In one aspect of this disclosure, the computer system determines whether the person opening an account has failed to provide all the required personally identifiable information in the application or has failed to provide all the required personally identifiable information in response to a notification of an incomplete application. If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0181] In one aspect of this disclosure, the computer system determines whether the personally identifiable information provided is inconsistent with personally identifiable information filed with a financial institution or creditor. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0182] In one aspect of this disclosure, the computer system determines whether the account holder has failed to provide verification information such as answers to challenge questions, which goes beyond information typically available from wallets or customer reports. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible party.

[0183] In one aspect of this disclosure, the computer system determines whether there is any unusual use of the account or suspicious activity related to the account. If a case of suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0184] In one aspect of this disclosure, the computer system determines whether, shortly after an account address change notification, the institution or creditor receives a request for a new, additional, or replacement card or mobile phone, or a request to add an authorized user to the account. If suspicious activity is detected, the computer system makes the detected activity available for review by the responsible party.

[0185] In one aspect of this disclosure, the computer system determines whether new revolving credit accounts are being used in a manner typically associated with known fraud patterns. For example: a significant portion of the available credit is being used for advance cash payments or for goods easily convertible to cash (e.g., electronic devices or jewelry); or a customer fails to make an initial payment or makes an initial payment but does not make subsequent payments. If suspicious activity is detected, the computer system makes the detected cases available for review by the responsible party.

[0186] In one aspect of this disclosure, the computer system determines whether an account is being used in a manner inconsistent with established activity patterns on the account. Examples include: non-payment when there is no history of late or missed payments; a significant increase in the use of available credit; a significant change in payment or consumption patterns; a significant change in electronic funds transfer patterns associated with a deposit account; or a significant change in telephone calling patterns associated with a cellular phone account. If suspicious activity is detected, the computer system makes the detected activity available for review by the responsible party.

[0187] In one aspect of this disclosure, the computer system determines whether an account that has remained inactive for a reasonably long period of time has been used (taking into account account type, expected usage patterns, and other relevant factors). If a suspicious activity case is detected, the computer system makes the detected case available for review by the responsible person.

[0188] In one aspect of this disclosure, the computer system determines whether mail sent to a customer is repeatedly returned due to undeliverability, even though transactions associated with the customer's account continue. If a case of suspicious activity is detected, the computer system makes the detected case available for review by the responsible person.

[0189] In one aspect of this disclosure, when a financial institution or creditor is notified that a customer has not received a paper account statement, the computer system closely reviews all transactions. If suspicious activity is detected, the computer system makes the detected activity available for review by the responsible party.

[0190] In one aspect of this disclosure, when a financial institution or creditor is notified of unauthorized charges or transactions related to a customer's account, the computer system closely reviews all transactions. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible party.

[0191] In one aspect of this disclosure, when a financial institution or creditor is notified by a customer, a victim of identity theft, law enforcement agency, or any other person that a fraudulent account has been opened for a person involved in identity theft, the computer system closely reviews all transactions. If suspicious activity is detected, the computer system makes the detected case available for review by the responsible party.

[0192] In addition to the transaction monitoring models described above, the previously described group comparison method can also be applied to detect potential identity theft cases. Identity theft cases can be categorized into two main types. The first type includes cases where the victim's accounts, financial instruments, or identity documents are stolen by fraudsters to carry out activities. In this case, as mentioned earlier, the computer system can detect activities that deviate from the victim's expected activities, and the victim's expected activities can be established from the victim's historical activity.

[0193] The second category includes cases where the victim's identity is stolen to open new accounts and / or initiate new activities. In these cases, the victim is unaware from day one (out of the picture). Because there is no real history of the victim's activity, it is impossible to properly establish the victim's expected activity for fraud prevention purposes. Although someone might ask the perpetrator questions and collect answers during the account opening process for the purpose of establishing the perpetrator's expected activity, this question-and-answer method may not work because the perpetrator knows how to answer the questions used to establish their expected activity without triggering any alarms.

[0194] To detect identity theft in the absence of available authentic historical activity, one aspect of this disclosure identifies all risk factors associated with new accounts or new customers. These risk factors may include, for example: the results of customer due diligence, the customer's prior records with other businesses, the customer's credit report history, the customer's industry category, the customer's business type, the customer's geographic region, the country of the customer's address, the nature of the customer's business, the type of products the business produces, the type of services the business provides, the business structure, the customer's occupation, nationality, historical records, type of transactions conducted, account balance, fund inflows, fund outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, refund amount, transaction location, transaction time, transaction country, remitter of transfer transactions, remitter's location, remitter's country, remitter's nature, recipient of transfer transactions, recipient's location, recipient's country, recipient's nature, relationship, social status, political exposure, historical transactions, etc. In fact, numerous risk factors can be considered to determine the risk of identity theft.

[0195] In one aspect of this disclosure, risk factors are used to identify a group of people sharing the same risk factors. A particular person may be involved in an identity theft case if they have a higher total risk score than a reference value derived from the total risk scores of all persons sharing the same risk factors. A set of risk factors can be used to identify a group of people sharing that set of risk factors. A particular person may be involved in an identity theft case if they have a higher total risk score than a reference value derived from the total risk scores of all persons sharing the same set of risk factors. Reference values ​​include the mean, median, average, mode, weighted average, and / or other statistical values. To simplify calculations, group statistics (such as mean, variance, standard deviation, etc.) can be derived to facilitate such comparisons among a group of people.

[0196] In one aspect of this disclosure, the responsible person (or compliance officer) investigates a detected case to determine whether it is a genuine identity theft case. The compliance officer also reviews all historical cases associated with the newly detected case. If the compliance officer agrees that the detected case is a possible identity theft case, the computer system assists the compliance officer in submitting a SAR to FinCEN. If the compliance officer decides not to submit a SAR, the compliance officer enters the reasons into the computer system to justify their decision not to report the detected activity.

[0197] The Office of Foreign Assets Control (OFAC) has a very simple rule that it is illegal to conduct any business transaction with any entity on any of its published lists. This list is commonly referred to as the "OFAC List." This rule applies to all U.S. individuals and entities, including financial institutions. For example, Walmart was fined by OFAC for violating this rule. U.S. financial institutions, which are subject to the most stringent regulatory oversight, must naturally adhere strictly to this rule.

[0198] Initially, it was a very simple rule. However, over the past 20 years, the implications of this rule have become far more complex. Common problems arise when people misspell their names (including typos, mispronunciations, etc.). Even if an entity's name is misspelled but it is on the OFAC list, financial institutions still have an obligation to identify that entity as an entity on the OFAC list (often referred to as an OFAC match).

[0199] The natural problem lies in the extent to which deviations from the original names on the OFAC list are categorized as "misspellings." OFAC and government regulators have never provided any precise guidance on answering this question. A very common exercise that examiners or auditors can perform is to use names like "PQR" as samples to test businesses. Generally, businesses should identify all business transactions associated with "PQR," "PR," "PR'," "RP," "RP'," etc., as potential OFAC matches. Now, if we further expand the scope of deviations from OFAC names, it becomes questionable whether financial institutions should identify the single word "R" as a potential OFAC match. It is easy to see that such a simple OFAC rule has caused considerable confusion in recent years.

[0200] In one aspect of this disclosure, the OFAC Matching Scale is used to measure the degree of deviation. The OFAC Matching Scale can generate a value called the "relative relevance" ("RC value") to measure the similarity between two names. For example, if a name has an RC value of 100%, then the name matches exactly with an OFAC name on the OFAC list. If a name has an RC value of 97%, then the name may differ from an OFAC name on the OFAC list by one or two letters. If a name has an RC value of 0%, then the name is completely different from all OFAC names on the OFAC list.

[0201] In one aspect of this disclosure, the length of the name also affects the RC value. For example, if a name differs from an OFAC name with 25 letters by only one letter, the RC value may be 96%, while another name may have an RC value of 90%, even though it also differs from another OFAC name with 10 letters by only one letter.

[0202] Long words such as international, incorporation, limited, company, and organization are commonly used in company names, and these words also exist in the OFAC name list. As a result, companies that use these long words in their names generate higher RC values. To avoid unnecessary false affirmations, in one aspect of this disclosure, commonly used long words can be replaced with shorter words to reduce their impact on RC values. For example, the word "international" can be replaced with "intl."

[0203] Additionally, some countries do not use descriptions of "first name" and "last name." As a result, when someone is asked to provide their first and last name, they may use different sequences of names. "PR" might become "RP." In one aspect of this disclosure, the OFAC matching scale identifies possible "out-of-order" OFAC matches.

[0204] Furthermore, some words are commonly used in certain cultures without producing significant differences. For example, in some cultures, "bin" means "son of..." while "binti" means "daughter of...". Formal names in that culture contain either "bin" or "binti". For instance, if the father has the name "R", his daughter "P" will have the formal name "P·Binti·R", and his son "Q" will have the formal name "Q·Bin·R". In this case, the two words "bin" and "binti", commonly used in names in said culture, will create a "false similarity" between the two names in said culture. To provide more scientifically accurate results, in one aspect of this disclosure, the OFAC matching scale can exclude these kinds of "irrelevant words" before calculating the RC value. Sometimes, names can be translated into English based on sound. Therefore, in one aspect of this disclosure, the OFAC matching scale should measure the sound matching to determine the RC value.

[0205] In one aspect of this disclosure, financial institutions decide what threshold to use when conducting OFAC checks. For example, if a financial institution uses a threshold of 75%, a possible OFAC match is detected when the name has an RC value of 75% or higher. Because each financial institution may have different risk exposures than other financial institutions, it is quite possible that X is the optimal threshold for financial institution A while Y is the optimal threshold for financial institution B. As a general guideline, the value of X or Y is selected based on a risk-based principle.

[0206] Generally, the higher the threshold used by a financial institution, the fewer possible OFAC matches it will detect. This saves time during the review process by avoiding more false positives. However, if the threshold is too high, the financial institution may miss reasonable deviations from OFAC names such as "PQR". If the threshold is too low, the financial institution may incorrectly detect many of its clients as possible OFAC matches. Best practice is to find a balance between "too many possible OFAC matches requiring review" and "missing genuine OFAC name deviations due to misses".

[0207] In one aspect of this disclosure, a user can randomly select multiple OFAC names from a list of OFACs and determine how an OFAC matching scale responds to deviations from these selected OFAC names. The user can then use this test to determine when they would refer to a “potential OFAC match.” It is recommended that the results of this test be retained for future review by auditors and reviewers.

[0208] It is possible that a particular name is very similar to an OFAC name. For example, American Express, a very reputable credit card company, is frequently mistakenly detected as an OFAC match due to the word "express". Therefore, to avoid this type of frequent false positives, in one aspect of this disclosure, a user-generated exemption list is provided to include well-known and reputable businesses. When a business on the exemption list is detected as a possible OFAC match, it is automatically classified as a false positive by the computer or manually by the user.

[0209] In many cases, a company may have an OFAC officer handling all OFAC-related matters. In one aspect of this disclosure, if a financial institution's OFAC officer (e.g., the principal) detects a potential OFAC match with an RC value exceeding a predefined threshold, the OFAC officer investigates whether this is a genuine OFAC match. If the OFAC officer believes it is a genuine match, the OFAC officer should handle the case according to guidance issued by the Foreign Assets Control Authority (FAACA). Under OFAC regulations, in some cases, the OFAC officer may be required to block the transaction so that individuals on the OFAC list do not profit from it. If, after its investigation, the OFAC officer determines that the OFAC match is a false positive, the OFAC officer should enter the reasons into the computer system to justify its reasons for not reporting such an OFAC match case to the FAACA and / or not blocking the transaction.

[0210] Section 314(a) of the U.S. Patriot Act requires financial institutions to check for name matches on the 314(a) list, which is published periodically by FinCEN. Computer systems can use methods similar to those used for handling OFAC compliance matters as described above to handle 314(a) compliance matters.

[0211] Sometimes, the 314(a) list also includes additional personally identifiable information, such as identity document number, date of birth, address, etc. In one aspect of this disclosure, in addition to the method described above for detecting possible OFAC matches, a computer system uses personally identifiable information such as identity document number, address, and / or date of birth to determine whether a detected 314(a) match is a genuine match. This method can reduce false positives in the 314(a) matching process.

[0212] In one aspect of this disclosure, if a financial institution's compliance officer (e.g., the head) detects a potential 314(a) match with an RC value exceeding a predefined threshold, the compliance officer investigates whether this is a genuine 314(a) match. In one aspect of this disclosure, if the compliance officer believes it is a genuine match, the compliance officer reports the 314(a) match case to FinCEN. If, after its investigation, the compliance officer determines that the 314(a) match is a false positive, the compliance officer enters reasons into the computer system to justify its decision not to report the 314(a) match to FinCEN.

[0213] In one aspect of this disclosure, the computer system receives customer information and transaction data from the financial institution's core data processing system or other data processing systems, either internal or external to the financial institution. Customer information may include background information.

[0214] In one aspect of this disclosure, the computer system receives information about suspicious activities observed by frontline personnel. For example, the computer system may receive information input from frontline personnel. The computer system may also receive information provided by other internal or external sources.

[0215] Although "financial institutions" are used as an example for ease of illustration, this disclosure is also applicable to other types of businesses. In general, any business that needs to comply with laws and regulations can adopt an intelligent alarm system as described in this disclosure.

[0216] In one aspect of this disclosure, risk scores or the degree of risk factors can be assigned by computer software modules, personnel designing or regulating the system, or users of the system. In most cases, the absolute value of the risk score is not important; rather, the relative relationship between all risk scores may be more important.

[0217] Furthermore, an entity's total risk score should fluctuate only within a reasonable range. In one aspect of this disclosure, if an entity's total risk score has suddenly increased and exceeded a threshold, the entity may have engaged in suspicious or unusual activity. That is, if the difference between an entity's first and second total risk scores is greater than the increase threshold, where the first total risk score is less than the second total risk score, the entity may have engaged in suspicious or unusual activity. In another aspect of this disclosure, if an entity's total risk score has suddenly and significantly decreased, the entity may also have engaged in suspicious or unusual activity. That is, if the difference between an entity's second and first total risk scores is greater than the decrease threshold, where the first total risk score is greater than the second total risk score, the entity may have engaged in suspicious or unusual activity. Therefore, when an entity's total risk score has suddenly and significantly increased or decreased, an alert will be sent to the investigator, BSA officer, compliance officer, or other responsible party who will be investigating the entity.

[0218] The subject's observation data may fluctuate from time to time. Therefore, an intelligent alarm system can allow a certain range of fluctuation in the subject's total risk score to avoid false alarms. In one aspect of this disclosure, when the subject's total risk score is below a threshold, the intelligent alarm system increases the allowable range of fluctuation in the subject's total risk score. In another aspect of this disclosure, when the subject's total risk score is above a threshold, the intelligent alarm system decreases the allowable range of fluctuation in the subject's total risk score. The allowable range of fluctuation can be determined (e.g., set) by the software module, the person designing the system, the person adjusting the system, or the person using the system.

[0219] For example, if a subject's total risk score is higher than the average of all subjects' total risk scores plus a certain number of standard deviations (such as four standard deviations), the intelligent alert system can modify the subject's permissible range of total risk score fluctuation to within half a standard deviation without triggering an alert. In another example, if the subject's total risk score is within the average of all subjects' total risk scores plus a certain number of standard deviations (such as three standard deviations), the intelligent alert system can allow the subject's total risk score to fluctuate within one standard deviation without triggering an alert.

[0220] In yet another example, if a subject's total risk score is within a certain number of standard deviations (such as two standard deviations) of the average of all subjects' total risk scores, the intelligent alarm system can allow the subject's total risk score to fluctuate within one and a half standard deviations without triggering an alarm. In yet another example, if a subject's total risk score is within a certain number of standard deviations (such as one standard deviation) of the average of all subjects' total risk scores, the intelligent alarm system can allow the subject's total risk score to fluctuate within two standard deviations without triggering an alarm.

[0221] In the field of machine learning, a denial is a dataset that does not trigger an alert. A true denial is a dataset that does not trigger an alert and does not include any real cases that would trigger an alert. A false denial is a dataset that does not trigger an alert but includes real cases that would trigger an alert but were missed by the system. As an example, if a false denial is discovered by the U.S. government, the false denial could lead to penalties for the financial institution. Therefore, it is desirable to prevent false denials in alert systems specifically designed to prevent money laundering (e.g., anti-money laundering alert systems).

[0222] For anti-money laundering alert systems within U.S. financial institutions, genuine money laundering cases are reported to FinCEN—a U.S. government organization. FinCEN has a set of communication protocols. U.S. financial institutions can report cases to FinCEN by sending documents from the anti-money laundering alert system to FinCEN's computer system using FinCEN-based communication protocols.

[0223] In a conventional sense, rule-based systems are used to detect suspicious activity, with each rule potentially triggering an alert. Many financial institutions already use rule-based approaches that can trigger numerous alerts. For example, there are over two hundred countries in the world. If a financial institution uses a rule-based approach to monitor wire transfers to or from each country, it could have over two hundred branches at the country decision node in its decision tree. As another example, there are thousands of different industries. If a financial institution uses a rule-based approach to monitor wire transfers to or from each industry, it could have thousands of branches at the industry decision node in its decision tree. Country and industry are two of many risk categories with money laundering risk. Similarly, wire transfers are one type of transaction with money laundering risk. Other possible types of transactions include cash, checks, ACH, ATMs, credit cards, debit cards, and letters of credit.

[0224] There are numerous money laundering risk factors. There are many (e.g., millions) possible combinations of branches to form paths from the root of a decision tree to its leaf nodes. In other words, a rule-based system might use millions of rules to cover the entire spectrum of money laundering risks, thus detecting suspicious money laundering activities. A rule-based system with a finite number of rules can have an increased number of false negatives (e.g., the system has missed genuine money laundering cases) and many false positives (e.g., the leaf nodes of the decision tree have an increased number of impurities and fail to achieve the classification objective). Due to the number of false negatives and false positives when using rule-based methods, financial institutions hire investigators to review a large number of alerts. It is difficult for financial institutions to use rule-based systems to mitigate all false negatives.

[0225] In the field of machine learning, a standard system is considered to have 70% accuracy. Training a machine learning model to achieve high accuracy (such as 100%) is difficult, if not impossible. Unfortunately, while 70% accuracy may be good for some purposes, this 70% target does not meet regulatory standards, such as those set by the U.S. government. As discussed, if a financial institution fails to detect certain activities (such as money laundering), it may face severe regulatory penalties. Therefore, financial institutions will not use alert systems with 70% accuracy. Thus, conventional machine learning models are not satisfactory for intelligent anti-money laundering alert systems.

[0226] According to various aspects of this disclosure, the intelligent anti-money laundering alert system uses a risk scoring method. The degree of each risk factor or risk factor can be analogous to a branch in a rule-based system. Therefore, the risk scoring process described in this disclosure for generating a total risk score from many risk factors can incorporate information from many rules into the total risk score. For example, if a total risk score is generated from 10,000 risk factors, the user only needs to focus on those alerts with total risk scores exceeding a threshold, without needing to evaluate each of the 10,000 risk factors. If a rule-based approach is used, each risk factor may require two possible outcomes, a match or a mismatch. The total number of possible combinations of outcomes for 10,000 risk factors is two (2) to the power of 10,000 (e.g., 2^10,000). 10,000 Therefore, assessment based on total risk score has effectively replaced assessment 2(2) to the power of 10,000 (e.g., 2). 10,000 The need for each of the 2 possible outcomes. Because of these 2 10,000 One result may potentially generate 2 10,000 There are several different types of alarms, so the intelligent anti-money laundering alarm system can prevent at least 2 10,000 This results in an alert. Therefore, the intelligent anti-money laundering alert system is an improvement over conventional rule-based systems.

[0227] While a total risk score can substitute for many rules, it may not substitute for all of them. For example, if someone frequently deposits funds slightly below the CTR reporting threshold... A certain amount of cash of 10,000 (for example, If the risk score is 9,900, then the financial institution is expected to report this person as a structured splitting case to the Financial Crimes Enforcement Network (FinCEN). Accurately detecting structured splitting cases based solely on the total risk score is difficult. Therefore, alert systems based on risk score-based technologies can include rules in addition to risk score-based criteria.

[0228] In one aspect of this disclosure, the intelligent anti-money laundering alert system uses risk-score-based scenarios instead of rules. In one example, the intelligent anti-money laundering alert system may use approximately twenty to thirty scenarios. Scenarios may include both risk-score-based and non-risk-score-based scenarios.

[0229] In addition to or alternative to the described scenario, other conditions can be used to generate alerts. For example, a computer system such as a machine learning network can be trained to generate a model. After training, the discriminant used by the model can be converted into an if-then conditional format to trigger an alert.

[0230] For the purposes of this disclosure, a scenario can be defined as a condition or set of conditions that can trigger an alert or be used to categorize an entity into a category for a specific purpose. For example, a customer with a total risk score within a certain range may not trigger an alert. In this example, the total risk score can still categorize the customer into a specific risk category, such as high risk, medium risk, or low risk. As another example, a customer who was previously a suspect in a Suspicious Activity Report (SAR) may not trigger an alert. In this example, the customer can be categorized into a specific category, such as a previous SAR suspect or another similar category. As yet another example, a customer matching the OFAC List, the 314(a) List, the Politically Exposed Persons List, and / or other lists can be categorized into one or more categories.

[0231] A scenario can consist of the following: rules, rule sets, rule-based standards or sets of standards, facts, behavioral patterns, risk scores, risk dimensions, total risk scores, special categories, mathematical models, and / or machine learning models. Scenarios can trigger alarms using rule-based methods, behavior-based methods, risk-based methods, model-based methods, and / or machine learning-based methods (e.g., artificial intelligence-based methods). An intelligent alarm system may include one or more scenarios.

[0232] As discussed, alerts can be triggered by scenarios. A scenario can be flagged when one or more conditions are met. A potential case that triggers an alert can be called a positive. A potential case may include one or more alerts. Therefore, the cause of a potential case can be one or more scenarios. Potential cases or positives can be investigated. A true positive can refer to a potential case that is a real case (e.g., a positive). If the investigation indicates that a potential case is not a real case, then the potential case can be called a false positive. Therefore, a false positive can be rejected, and the associated alert can be rejected as a false alert. True positives can be reported to authorities, such as FinCEN or law enforcement agencies.

[0233] In one configuration, the posterior probability can be estimated via the Bayesian principle. The product of the posterior probability and the evidence is the prior probability multiplied by the likelihood. Using an application that reports suspicious money laundering activities to FinCEN as an example, the Bayesian equation is: p(S / c)p(c) = p(c / S)p(S) Evidence p(c) is the most significant factor among all potential cases, arising from the cause. c The probability of triggering a potential case. Similar to probability. p(S) It is the most certain of all potential cases. S The probability of (e.g., a real SAR case). Prior probability. p(c / S) It is the cause of all true affirmations. c The probability of a true positive trigger. As a result, the posterior probability. p(S / c) It can be determined as follows: p(S / c) = p(c / S)p(S) / p(c) Posterior probability P (S / c) There are also reasons c The triggered potential case has a true conditional probability. That is, although the conditional probability... P(S / c) It is derived from historical data, but it is based on the reasons... c The posterior probability is the best estimate of the probability that a potential case will become a true certainty in the future. Therefore, the posterior probability can also be called the conditional probability for the future, or the future conditional probability.

[0234] Many risk factors (e.g., thousands) can influence money laundering risk. In one configuration, the number of scenarios used by the smart money laundering alert system is not large when risk score-based scenarios are used as part of the scenario set. As an example, the smart money laundering alert system can use thirty scenarios. A potential case can be triggered by one or more of these scenarios. In this example, a vector with thirty elements can represent the possible causes of a potential case. Therefore, in this example, there are 2 30 There are several different possible combinations of causes. Each triggered scenario is identified by a flag. For example, the cause vector can be initialized with a value of "0" for each element. If a scenario is triggered, the value of the element corresponding to that scenario can change from "0" to another value, such as "1".

[0235] For example, if a potential case is triggered by a first scenario and a third scenario, the vector x may include "1" at the first and third positions and "0" at all other positions. That is, the vector may be represented as x = (1,0,1,0,0,0,…, 0). As another example, if a potential case is triggered by a third scenario and a fourth scenario, the third and fourth positions of the vector may include "1" values, and all other positions may include "0" values. In this example, the vector x may be represented as x = (0,0,1,1,0,0,…, 0). In this disclosure, the vector that includes the scenario (e.g., the cause) used to trigger an alarm for a potential case may be referred to as a cause vector.

[0236] A scenario may include one or more conditions for classifying an entity into one or more categories; however, a scenario itself may not trigger a potential case. A potential case may be triggered by multiple scenarios in the associated cause vector. For example, if a scenario is designed to classify an entity into a previous SAR suspect category, this scenario itself may not trigger a money laundering alert. However, if a customer is a previous SAR suspect and another scenario is triggered (e.g., transferring more than ten million US dollars to a higher-risk country), a potential case may be triggered. Nevertheless, a cause vector may have two scenarios, one for the transfer transaction and another for the previous SAR suspect. It is a good idea to include various special categories (e.g., previous SAR suspects) in the cause vector, as these special categories can improve the accuracy of suspicious activity detection.

[0237] Potential cases with multiple triggers in the cause vector are more likely to become true affirmative. For example, if a customer receives a wire transfer... If the number is 250,000, then a scenario in the cause vector can be flagged (e.g., triggered). The cause vector with a flagged scenario can be registered as a potential case, which may or may not be an actual money laundering case. Similarly, if a customer withdraws money... 250,000 could then be used to identify another scenario in the cause vector. Nevertheless, this potential case may or may not be a genuine money laundering case.

[0238] However, if the customer receives from the wire transfer 250,000, then withdraw from the account. With 250,000 cash, two distinct scenarios can be labeled in the cause vector. A cause vector with two labeled scenarios can be registered as a potential case, which is more likely to be a genuine money laundering case because the combined activities described by these two different scenarios match common money laundering patterns. Therefore, instead of calculating conditional probabilities based on a single labeled scenario, it is desirable to calculate the conditional probabilities of potential cases based on cause vectors with multiple labeled scenarios.

[0239] If the cause vector has thirty scenarios, then since each scenario has two possibilities (e.g., triggered and not triggered), thirty scenarios can have up to 2 30 There are 2 possible combinations. However, since no case will be triggered if no scene is triggered, the total number of possible combinations that trigger a case is (2). 30 -1). Each combination may have a unique conditional probability of triggering a potential case. Calculating these conditional probability values ​​may be impractical because 2 30 This is a very large number. In practice, a potential case typically has five or fewer scenarios that trigger simultaneously. Therefore, the actual total number of meaningful scenario combinations that can trigger a potential case is a much smaller number and can be managed via computing devices associated with an intelligent alarm system. For example, if the maximum number of possible scenarios in a potential case is 5, then the total number of possible potential cases that can be triggered by these thirty scenarios is C(30,1) + C(30,2) + C(30,3) + C(30,4) + C(30,5), where C(m, n) is the number of possible different choices of selecting n objects from m subjects. For example, C(30,1) is 30 because there are 30 possible choices to select 1 from 30 objects. C(30,2) is 435. C(30,3) is 4,060. C(30,4) is 27,405. C(30,5) is 142,506. The total number of possible causal vectors is 174,436. These causal vectors and their associated conditional probability values ​​can be managed via computing devices and databases associated with the intelligent alarm system.

[0240] Investigators can use intelligent alert systems to investigate potential cases triggered by cause vectors. Cause vectors can include multiple labeled scenarios. A potential case can be a false positive or a true positive. A true positive is a potential case that is actually a real case. A false positive is a potential case that is not actually a real case. If it is a false positive, all alerts for the potential case are rejected as false alarms. If it is a true positive, the potential case becomes a real case that can be reported to authorities such as FinCEN.

[0241] Generally, investigating a potential case is time-consuming. In the United States, it is common for large financial institutions to employ hundreds of investigators. Each investigator is tasked with investigating whether a potential case triggered by various anti-money laundering systems is a genuine money laundering case. If a genuine money laundering case exists, U.S. law requires the financial institution to report it to FinCEN within thirty days. However, as discussed above, whether a potential case is a genuine money laundering case is subjective and depends on the investigator's opinion.

[0242] There is no penalty if investigators report a false positive as a genuine money laundering case because financial institutions are protected by safe harbor rules. Generally, because of the substantial regulatory penalties for failing to report a genuine money laundering case to FinCEN, the expectation is to report potential cases to FinCEN rather than reject them. Therefore, in common practice, investigators treat potential cases as genuine positives as long as there is reasonable suspicion. Current U.S. law does not require investigators to prove a potential case is genuine. That is, if there is a high probability that a potential case is genuine, the investigator is inclined to report it. This also means that probability plays a role in the decision-making process.

[0243] It can be based on the conditional probability that a potential case based on cause vector x becomes a real SAR case. p(S / x) The system uses knowledge to improve user decision-making. For example, if the conditional probability is greater than a threshold, a user might want to report the case to FinCEN without spending time on investigation. In one configuration, when the conditional probability of a case is greater than a threshold, the intelligent alert system automatically reports the case to the appropriate entity (e.g., FinCEN). The threshold can be set by the software module, the person designing or regulating the system, and / or the user of the system. Alternatively, the threshold can be set by the intelligent alert system, which learns user preferences by evaluating the user's past behavior. For example, if a user frequently submits SARs when the conditional probability of the cause vector is greater than a value Z, the system can use the value Z as the threshold for automatically submitting SARs for the user in the future. In one configuration, the system stores potential cases in a database to determine conditional probabilities. For each potential case, the system also stores the associated cause vector. The system can also store investigation results, such as whether a potential case triggered by the cause vector is accepted by the investigator as a true affirmative or rejected by the investigator as a false affirmative.

[0244] As users continue to use the intelligent alarm system, the system accumulates historical data in its database. In one aspect of this disclosure, for any given time period, the system can determine from the database how many potential cases are triggered by cause vector x, and how many of these potential cases triggered by cause vector x have become true positivity (e.g., SAR cases reported to FinCEN). The ratio of the number of true positivity cases triggered by cause vector x to the number of potential cases triggered by cause vector x is the conditional probability. p(S / x) This conditional probability can also be called the posterior probability. The posterior probability indicates the probability that a future potential case triggered by a cause vector will become a real case reported to FinCEN. Generally speaking, the conditional probability of a potential case is equivalent to the conditional probability of the cause vector that triggered the potential case.

[0245] In one aspect of this disclosure, the intelligent alarm system calculates and displays the conditional probability of each potential case based on the cause vector of each potential case. This conditional probability indicates the probability that a potential case triggered by the cause vector becomes a true affirmative case reported to FinCEN. In another aspect of this disclosure, the intelligent alarm system accepts a potential case as a true affirmative case and reports it to FinCEN in response to the conditional probability of the cause vector being higher than a predefined value. This predefined value is also referred to as the true affirmative acceptance threshold.

[0246] The intelligent alert system can also reject a potential case as a false positive if the conditional probability of the cause vector is less than a false positive rejection threshold. The false positive rejection threshold and the true positive acceptance threshold can be set by the software module, the person designing or regulating the system, and / or the user of the system. Alternatively, these thresholds can be set by the intelligent alert system, which learns user preferences by evaluating past user behavior. For potential cases that are neither accepted as true positives nor rejected as false positives, investigators can manually review the potential cases and determine whether each of these potential cases is a false positive or a true positive.

[0247] Data used to determine conditional probabilities can be acquired over a specific time period. This period could be the past 12 months, the past three years, or any other timeframe. In one configuration, conditional probabilities can be determined from a rolling timeframe that continuously moves forward. For example, if the environment (e.g., business strategy, customer demographics, products, services, etc.) has changed, older probability values ​​may no longer be accurate after that change. Furthermore, if the financial institution modifies the scenario, older probability values ​​may be affected. Therefore, a rolling timeframe (e.g., the past three years) provides the intelligent alert system with the ability to continuously adjust itself to generate the most current and accurate probability values.

[0248] Many computer systems run data processing in batches (e.g., one batch per month). Instead of time periods, the number of batches can be used to limit the amount of historical data used for probability calculations. For example, if a computer system runs one batch per month, instead of a rolling time period of the past three years, the computer system could use a rolling time period of the past 36 batches.

[0249] In one configuration, the intelligent alarm system intentionally leaves some potential cases unattended for investigators to handle. The system can use the outcomes of these cases to train itself, i.e., adjust the probability values ​​to better fit the current environment. Therefore, the intelligent alarm system is a learning system that improves its predictions as more potential cases are evaluated by human investigators.

[0250] When a causal vector has not yet generated a potential case within a specified time period, the intelligent alarm system can generate a flag or display a message for the potential case triggered by that causal vector. In this case, the user can manually investigate the potential case to determine whether it is a false positive or a true positive. The results of the manual investigation can be used to calculate the conditional probability value of the causal vector. The calculated conditional probability value can be used to evaluate future potential cases. This manual investigation process has the equivalent effect of supervised training and improves the accuracy and reliability of the intelligent alarm system.

[0251] The intelligent alert system can also display or link to historical potential cases and / or true / false alarms triggered by the cause vector. Additionally, users can view additional details for each case (e.g., in-depth analysis). Therefore, investigators can use historical data as a reference when determining whether to pursue potential cases.

[0252] The system can also display or link to historical potential cases triggered by the same suspect in the current potential case, as well as decisions made regarding those potential cases. Investigators can delve into detailed background and transaction information about suspects. As a result, investigators can determine whether the current potential case is a false positive or a true positive.

[0253] In some cases, there may be insufficient reasons to report a current potential case to the authorities. However, a current potential case, combined with historical potential cases, may have sufficient reasons for reporting. In this case, the true reason for reporting the case consists of the cause vector of the current potential case in addition to the cause vector of the historical potential cases. Historical potential cases may be referred to as previous potential cases. The combined cause vector can be used for this true reason. The combined cause vector can be a combination of multiple cause vectors from multiple potential cases.

[0254] As an example, the cause vector x1 of the current case may have "1" at the first and fifth positions of the vector and "0" at all other positions (e.g., x1 = (1, 0, 0, 0, 1, 0, 0, …0)). In this example, the historical potential cause vector x2 may have "1" at the third and fifth positions and "0" at all other positions (e.g., x2 = (0, 0, 1, 0, 1, 0, 0, …0)). The combined cause vector x3 (e.g., a combination of x1 and x2) has "1" at the first, third, and fifth positions and "0" at all other positions (e.g., x3 = (1,0, 1, 0, 1, 0, 0, …0)). Although only one cause vector of a historical potential case is used in the above example, a combined cause vector can consist of multiple cause vectors of multiple historical potential cases.

[0255] In one configuration, investigators manually reviewed multiple historical and current potential cases to determine whether a combined case was a false positive (e.g., do not report) or a true positive (e.g., report). The results of the manual investigation were used to calculate the combined cause vector. cbv conditional probability value p(S / cbv) (For example, posterior probability values). Combined cause vectors cbv It is a combination of the cause vector of the current potential case and one or more cause vectors of the historical potential cases.

[0256] In some cases, intelligent alarm systems may struggle to identify which historical potential cases have already been investigated by investigators. Therefore, intelligent alarm systems can prompt investigators to select historical potential cases, which will be combined with current cases to report to the authorities.

[0257] Additionally, in some cases, intelligent alert systems may struggle to determine which scenarios, or combinations of causal vectors, led investigators to report potential incidents. Therefore, intelligent alert systems can prompt investigators to select the scenarios that led them to report potential incidents.

[0258] Many suspicious activity reports request investigators to provide comments or descriptions of potential cases. To improve processing time, it is expected that intelligent alert systems will automatically populate comments or descriptions for reported cases. Generally, the information used to write comments or descriptions consists of background information on the suspect and transaction details. Because this information is stored in a database, intelligent alert systems can learn from users how to write comments or descriptions, as explained later in this disclosure.

[0259] In one aspect of this disclosure, the intelligent alarm system prompts investigators to select historical potential cases to be combined with the current potential case for reporting. Based on the cause vectors of the selected historical potential cases and the cause vectors of the current potential case, the intelligent alarm system prepares a comment or narrative. The prepared comment or narrative is provided in the report of the combined cases.

[0260] When the intelligent alarm system receives comments or descriptions, it can also identify the combined causal vectors of the reported cases. Therefore, based on the results of human investigations, conditional probability values ​​can be... p(S / cbv) With the identified combined cause vector cbv Related.

[0261] The intelligent alert system can prompt investigators to select a causal vector or a combination of causal vectors that led to the reporting of a potential case. Based on the selected scenario, the intelligent alert system prepares comments or descriptions to complete the case report. These selected scenarios form the true causal vector of the reported case. The scenarios that identified the true causal vector of the reported case are then identified. Conditional probability values ​​for the true causal vector can be calculated based on the results of the human investigation.

[0262] Each person may have a unique writing style (or preference), so an investigator may initially dislike the comments or narratives generated by the intelligent alert system. If the investigator dislikes the generated comments or narratives based on the selected scenario and has no way to modify them, the investigator may not bother to select the scenarios that enable the intelligent alert system to generate comments or narratives. In this case, the intelligent alert system may not be able to learn the true reasons why the investigator has decided to report the case to the authorities. Therefore, the intelligent alert system may not be able to calculate the future conditional probability value of the true cause vector based on the results of a human investigation.

[0263] Therefore, intelligent alert systems are expected to learn and adapt to the investigator's writing style (or preferences). In one configuration, the intelligent alert system learns the investigator's writing style (or preferences) and generates future comments or narratives based on that style (or preferences).

[0264] In one configuration, to learn a person's writing style (or preferences), the intelligent alert system displays comments or narratives for a first selected scenario based on pre-stored default comments or narratives. The pre-stored default comments or narratives consist of two main parts. The first main part comprises facts such as the suspect's name, identification information, background, relationships between suspects, location of the incident, description of the incident, date and time of the incident, related information, transaction details, etc. The second main part may contain words, phrases, sentences, symbols, etc., used to link the facts together. These words, phrases, sentences, symbols, etc., are collectively referred to as "linking words."

[0265] Facts can be obtained from stored data or information associated with the intelligent alert system. Investigators may rarely modify the stored facts. Investigators may modify linking words based on their writing style (or preferences). Therefore, the intelligent alert system tracks the facts and linking words used for commentary or narration. The intelligent alert system can also track the location of facts stored in memory (e.g., a database) and the relationships between facts.

[0266] Generally, a person's writing style (or preference) is determined by the order in which linking words and facts are presented (e.g., format). A writing style (or preference) cannot be determined solely by the selection of facts themselves, as investigators should include relevant facts and avoid altering them. In some cases, the facts may differ when two different cases are detected in the same scene. Nevertheless, the order in which linking words and facts are presented (e.g., format) may remain consistent in a commentary or narrative because the same investigator has the same writing style (or preference).

[0267] In one configuration, the intelligent alert system provides investigators with the ability to add, delete, or modify linking words that connect facts. The intelligent alert system also provides investigators with the ability to add, delete, or modify facts within a narrative. Furthermore, the intelligent alert system provides investigators with the ability to extract additional facts from a database and insert them into the narrative, as well as database search capabilities.

[0268] After an investigator has revised their comments or narratives for the first selected scenario, they can save the revised comments or narratives as the next default comments or narratives. In the future, when the investigator selects the first selected scenario again for other cases, revised comments or narratives based on different sets of facts (e.g., the next default comments or narratives) can be displayed for the investigator to edit. It is possible that after several revisions, the investigator may be satisfied with the current version and may not want to edit it again. Through this evolutionary revision process, the intelligent alert system learns from the investigator and will generate comments or narratives that match the investigator's writing style (or preferences).

[0269] The intelligent alarm system can handle a second selected scenario using the same method described above for the first selected scenario. The intelligent alarm system can handle other selected scenarios in the same way. Over time, the intelligent alarm system will gradually learn how to write comments or narratives for each scenario based on the investigator's preferences.

[0270] As discussed above, based on learning, the intelligent alert system can automatically generate comments or narratives for investigators. Based on all aspects of this disclosure, there will be no need for investigators to write comments or narratives. Investigators can select a scenario, and in response, the intelligent alert system automatically fills in SAR forms and comments or narratives. The intelligent alert system can then report the case to the appropriate authorities. Currently, investigators may spend hours writing comments or narratives for SAR cases. The intelligent alert system can eliminate a significant amount of labor for investigators.

[0271] In some cases, a person's writing can depend on his / her mood. For example, a person in a good mood might write a detailed narrative. As another example, a person in a bad mood might write a poor or incomplete narrative. The aspects disclosed herein eliminate the influence of the human author's mood on the narrative, ensuring a consistent standard of narrative.

[0272] In an exemplary scenario, when the smart alarm system detects that customer AA will... 9,990 and on June 2nd When 9,995 is deposited into Bank ABC's account, an alert with the following default statement may be generated: Mr. AA exist June 1 Will 9,990 And in June 2 Will 9,995 Save to Bank ABC In this short description, the underlined words are facts, while the rest are linking words.

[0273] In one example, the investigator could change the narrative as follows: Mr. AA exist June 1 Will 9,990 And in 6 2nd Will 9,995 Save to Bank ABC "Under the Bank Secrecy Act, we reported this case as suspicious activity because it is a typical pattern of structured cash splitting." In the above statement, the underlined words are facts, while the remaining words are linking terms. When investigators save the SAR form for AA, the intelligent alert system stores the revised statement as the default statement.

[0274] Later, the smart alarm system may detect that customer BB, on July 1st... 9,999 and on July 2nd 9,999 was deposited into Bank ABC's account. In response, the intelligent alarm system can generate an SAR case with the following default statement: Mr. BB exist July 1 Will 9,999 And in July 2 Will 9,999 Save to Bank ABC "Under the Bank Secrecy Act, we are reporting this case as suspicious activity because it is a typical pattern of structured cash splitting."

[0275] In one example, an investigator could modify the statement to read: "Under the Bank Secrecy Act, financial institutions are required to report cash structured splitting activities via Suspicious Activity Reports (SARs). We have identified..." Mr. BB exist July 1 Will 9,999 And in July 2 Will 9,999 Save to Bank ABC This is a typical cash splitting activity performed to avoid submitting a Cash Transaction Report (CTR). Therefore, we report this case as a suspected structured splitting activity via SAR. When the investigator saves the SAR form for BB, the smart alert system stores the revised narrative as the default narrative.

[0276] Later in the day, the intelligent alarm system detected customer CC, who on August 3rd... 9,980 and on August 4th 9,985 was deposited into Bank ABC's account. In response, the intelligent alarm system can generate a SAR case with the following default statement: "Under the Bank Secrecy Act, financial institutions are required to report cash structured splitting activities via Suspicious Activity Reports (SARs). We have identified..." Mr. CC exist August 3 Will 9,980 By myself August 4 Will 9,985 Save to Bank ABC This is a typical cash structured splitting activity undertaken to avoid filing a Cash Transaction Report (CTR). Therefore, we are reporting this case as a suspected structured splitting activity via SAR.

[0277] Investigators might see the above statement and might want to add a few words like: "Under the Bank Secrecy Act, financial institutions are required to report cash structured splitting activities via Suspicious Activity Reports (SARs). We have identified..." Mr. CC exist 8 March 3 Will 9,980And in August 4 Will 9,985 Save to Bank ABC This is a typical cash structured splitting activity undertaken to avoid submitting a Cash Transaction Report (CTR). Therefore, we report this case as a suspected structured splitting activity via SAR. Mr. CC exist March 1, 2019 Open a bank account and have an average account balance of [amount] over the past three (3) months. 123,197 "During the review of this case, investigators have included additional facts extracted from the database of the intelligent alarm system. These additional facts are underlined in the following sentences:" Mr. CC exist March 1, 2019 Open a bank account and have an average account balance of [amount] over the past three (3) months. 123,197 "When investigators save the SAR form for CC, the intelligent alarm system stores the revised narrative as the default narrative."

[0278] At yet another later time, the intelligent alarm system detected that customer DD had... 9,998 and on September 6th 9,998 was deposited into Bank ABC's account. In response, the intelligent alarm system can generate a SAR case with the following default statement: "Under the Bank Secrecy Act, financial institutions are required to report cash structured splitting activities via Suspicious Activity Reports (SARs). We have identified..." Mr. DD exist September 5 Will 9,998 And in September 6 Will 9,998 Save to bank ABC This is a typical cash structured splitting activity undertaken to avoid submitting a Cash Transaction Report (CTR). Therefore, we report this case as a suspected structured splitting activity via SAR. Mr. DD exist February 15, 2019 Open a bank account and have an average account balance of [amount] over the past three (3) months. 83,225 .

[0279] The investigator may see the above description and decide that no changes are needed. Until the investigator makes changes in the future, cases detected by the same scenario will use the following comment or description: "Under the Bank Secrecy Act, financial institutions are required to report cash structured splitting activities via Suspicious Activity Reports (SARs). We have identified..." (Suspect's name) exist (First (Deposit date) Will (First cash transaction amount) And in (Second deposit date) Will (Second cash transaction amount) Save to (Bank Name) This is a typical cash splitting activity undertaken to avoid filing a Cash Transaction Report (CTR). Therefore, we report this case as a suspected structured splitting activity via SAR. (Suspect's name) exist (Account opening date) Expect) Open a bank account and have an average account balance of [amount] over the past three (3) months. (Average account balance) The underlined words will be extracted from the database of the intelligent alarm system. The remaining words in the narrative are the preferred linking words used by the investigators, which have been learned by the intelligent alarm system from the investigators based on their writing of narratives of past cases detected through the same scene.

[0280] In the example above, the fact set consists of the suspect's name, the amount of the first cash transaction, the date of the first deposit, the amount of the second cash transaction, the date of the second deposit, the bank name, the account opening date, and the average account balance. These different fact fragments can be extracted from a storage location such as a database.

[0281] Furthermore, AA, BB, CC, and DD are facts of the same type under the field name "Suspect's Name". Each suspect's name can be defined as a fact corresponding to other suspect's names. For example, DD can be a corresponding fact fragment for CC. Similarly, corresponding sets of fact fragments can be defined under the following fields: First Cash Transaction Amount, First Deposit Date, Second Cash Transaction Amount, Second Deposit Date, Bank Name, Account Opening Date, and Average Account Balance.

[0282] When the intelligent alert system displays a default narrative based on a new set of facts about a new suspect, it replaces each old fact about the old suspect with the new corresponding facts about the new suspect. In the example above, the old suspect's name CC is replaced with the new suspect's name DD; 9,998 replacement 9,980; replace August 3 with September 5; use 9,998 replacement 9,985; replace August 4 with September 6; replace Bank ABC with Bank ABC; replace March 1, 2019 with February 15, 2019; and use 83,225 replacement 123,197. Link words remain unchanged.

[0283] If an investigator has used the same default narrative a predefined number of times without revising it, then the default narrative has been matched with the investigator's writing style (or preference). In this case, the intelligent alert system can skip the narrative review process or recommend that the investigator skip the narrative review process.

[0284] In one configuration, in addition to providing a commentary or narrative for each case, the intelligent alert system also provides an introduction section for each case. Additionally or alternatively, the intelligent alert system may provide a conclusion section for each case. The introduction section is placed at the beginning of the overall narrative, while the conclusion section is placed at the end of the overall narrative. For example, if a case has three scenarios selected by the investigator, the overall commentary or narrative will have an introduction section, three commentary or narrative sections matching the three selected scenarios, and a conclusion section.

[0285] In one application of this disclosure, the introduction and conclusion sections can also be modified and saved by the investigator. Similarly, the intelligent alert system will learn to construct the investigator's preferred introduction and conclusion sections. This universal format, including the introduction and conclusion sections, provides investigators with additional flexibility in writing more comprehensive and general narratives.

[0286] In a configuration, if a case involves multiple suspects, each suspect is detected by a set of scenarios. The overall commentary or narrative for the case may include an introduction, a relationship section describing the relationships between the suspects, a set of individual comments (or narratives) for each scenario, and a conclusion.

[0287] Updating the relative positions of linking words and facts in the default narrative based on different fact sets can streamline the SAR case review and submission process. For example, when an intelligent alert system detects an alert for a suspect, it sends the currently matching scenario and all scenarios matching historical alerts for that suspect to the investigator's computer system. The investigator selects the scenario that constitutes grounds for submitting an SAR and sends the selected scenario back to the intelligent alert system. The intelligent alert system searches its database to identify the default narrative for the selected scenario and sends a default narrative based on the suspect's facts back to the investigator's computer system. The investigator reviews the narrative and can make changes as needed.

[0288] When an investigator saves the revised statement, their computer system sends it back to the intelligent alert system. The intelligent alert system stores the revised statement and sends the SAR form with the revised statement back to the BSA officer's computer system. If the BSA officer approves the SAR form, the intelligent alert system sends it to FinCEN's computer system. If the investigator deems no changes to the default statement necessary, the intelligent alert system can directly send the SAR with the default statement to the BSA officer's computer system for approval.

[0289] In some cases, the investigator is also a BSA officer, or a BSA officer permits the investigator to submit the SAR directly without any approval. In these cases, the investigator may accept a default narrative based on the facts at the time. In response, the intelligent alert system may directly send the SAR with the default narrative based on the current facts to FinCEN's computer system.

[0290] After an investigator has received a predefined number of default narratives based on different sets of facts for a given scenario without any alterations, the intelligent alert system can assume that the default narrative has matched the investigator's writing style (or preference) for that scenario. Therefore, when a future true-or-false case involving the same scenario is detected again by the suspect at that time, the intelligent alert system can directly send the SAR with the default narrative based on the facts of that time and the suspect's situation to FinCEN's computer system. This eliminates the labor associated with investigators and BSA officers.

[0291] The above description of a single selected scenario can also be applied to multiple selected scenarios. For example, if an investigator has received a predefined number of default narratives based on different sets of facts for all selected scenarios of a detected case, the intelligent alert system can send SARs with default narratives for multiple selected scenarios based on the facts of the suspect at that time to the FinCEN computer system.

[0292] Besides SAR submission applications, aspects of this disclosure can also be used by computer systems to automatically generate different types of reports based on human author preferences. For example, hospitals may need to generate reports for each patient. Police departments may need to generate reports for each incident. Schools may need to generate reports for each student. Many other report generation needs exist. Routine reports are generated using significant human resources. Aspects of this disclosure can reduce the human resources used in report generation.

[0293] Reports can be categorized into different types based on various factors such as reason, purpose, criteria, and context. For example, a hospital might use different types of reports based on the reason for a patient's admission. As an example, this reason could be heart surgery, childbirth, etc. A patient may have multiple reasons for admission. Furthermore, for each primary reason, there may be multiple sub-reasons. For example, if a patient is admitted for the need of heart surgery, there are many reasons for that need. It is desirable to categorize these reasons in detail because each different reason may require a different writing style (or preference) to generate a report. As another example, a police department might generate reports for an incident based on many different reasons, purposes, criteria, and contexts. In yet another example, a school might generate reports for each student based on many different reasons, purposes, criteria, and contexts.

[0294] Reports can be written based on one or more facts. These facts can be stored in a database and consist of data input by humans, data detected by sensors, data collected from different sources, and / or data derived from other sources. Furthermore, humans will use words, phrases, sentences, symbols, etc., to link the facts together to form the report. For ease of citation, these words, phrases, sentences, symbols, etc., used to link the facts together are collectively referred to as "linking words."

[0295] In one configuration, the computer system stores facts in a database. The computer system provides editing capabilities that allow human authors to create sets of factors, which may include reasons, purposes, criteria, scenarios, etc. The computer system also provides editing capabilities that allow human authors to use the fact sets to create default narratives for each factor. Furthermore, the computer system provides editing capabilities that allow human authors to write linking words for the default narratives for each factor. The computer system also stores the default narrative for each factor. The default narrative includes facts and linking words.

[0296] In one configuration, the computer system stores a default description for each factor in a database. In this configuration, the default description includes linking words, the position of each fact in the description, and the storage location in the database used to store each fact. For example, the default description could be "(Object 1) was involved in a car accident at (Object 2)". In this example, Object 1 and Object 2 are two facts. The computer system stores the entire sentence in the database, including the linking words "was involved in a car accident at..." and the positions of Object 1 and Object 2 within that sentence. Additionally, the computer system stores the table names and field names for Object 1 and Object 2 separately in the database.

[0297] Data fields with the same definition can be stored in the same database table. For example, the names of all patients are stored in the same database table listing all patient names. Therefore, when two different sets of facts are used to write two narratives for two cases, corresponding fact pairs located in the same position in each corresponding narrative are in the same database table. When multiple database tables are used to generate facts, the database keys linking these multiple database tables can also be stored in the database. As a result, when a default comment or narrative based on an old set of facts is used to generate a new narrative for a new set of facts, the computer system identifies each corresponding fact pair and replaces the old facts with the corresponding new facts.

[0298] For example, object 1 is the "patient name field" stored in the patient table, while object 2 is the "data field" in the event table. In the example above, "BB was in a car accident on January 20, 2018" and "CC was in a car accident on February 3, 2018" are based on the same narrative format but contain two different factual fragments (e.g., patient name and event date). The linking words for these two scenarios are exactly the same: "involved in a car accident."

[0299] In one configuration, the computer system lists a set of factors, which may include reasons, purposes, criteria, scenarios, etc. The computer system can allow human authors to select the factors to display as the default narrative based on a new set of facts. Human authors can add, delete, or modify linking words in the narrative displayed by the computer system.

[0300] In one configuration, the computer system provides search and editing capabilities, allowing human authors to add, delete, or modify facts and change their position within the narrative displayed by the computer system. Human authors can store the revised narrative as a new default narrative, which includes the facts, the position of each fact fragment, and linking words. The computer system stores database tables, keys, and field information for each fact used to obtain the new default narrative.

[0301] In one aspect of this disclosure, the human author selects factors to display in a new default narrative based on a new set of facts and the same set of linking words stored in a database. The computer system extracts each new fragment of a new fact based on the location of its corresponding old fragment in the database. The computer system can then display each new fact between linking words in the narrative based on the location of each corresponding old fact within the narrative.

[0302] In one configuration, the computer system provides human authors with the ability to add, delete, or modify linking words in the new default narrative displayed by the computer system. Human authors can also add, delete, or modify facts, and change the position of facts within the new default narrative displayed by the computer system. Human authors can then save the revised new default narrative as the next new default narrative.

[0303] The above process can be repeated, allowing human authors to continue revising the default narrative based on new sets of facts, and storing the revised default narrative as the next new default narrative. As a result of this evolutionary process, future default narratives can be matched with the preferences of human authors.

[0304] In one aspect of this disclosure, a narrative is considered mature for the selected factors if, based on the same factors chosen by the human author, the human author does not alter the number of instances of different cases using different sets of facts. The predefined number can be defined by a person and / or a computer system.

[0305] In one configuration, if, based on the same factors selected by human authors, the human authors do not change the number of instances displayed by the computer system for different cases using different fact sets, these linking words are considered mature for the selected factors. The predefined number of instances can be defined by humans and / or the computer system.

[0306] In one configuration, if the narrative is mature for the factors selected by the human author, the computer system automatically skips the narrative review process or recommends that the human author skip the narrative review process for that selected factor, and uses the current default narrative as the standard narrative format to generate a report for the selected factor. The standard narrative format contains facts that may differ in each report, as well as the exact same set of linking words that matches the human author's writing style (or preference).

[0307] In one configuration, if the link words are mature for the factors selected by the human author, the computer system automatically skips the narrative review process or recommends that the human author skip the narrative review process and use the current default link words as the standard link words to generate the report for that selected factor.

[0308] In one configuration, if a human author has selected multiple factors to write a report, the computer system uses the selected factors to generate a narrative section for each factor, and combines the multiple narrative sections together based on the multiple selected factors to generate a report.

[0309] An introduction may be inserted at the beginning of the report. The introduction includes facts and / or linking words. These facts and / or linking words may be revised by human authors through multiple reports based on the evolutionary processes explained in this disclosure to ultimately match the writing skills (or preferences) of human authors.

[0310] A link section may be inserted in the middle of the report. The link section includes facts and / or link words that may be revised by human authors through multiple reports based on the evolutionary processes explained in this disclosure to ultimately match the writing skills (or preferences) of human authors.

[0311] A conclusion section may be inserted at the end of the report. The conclusion section includes facts and / or linking words that may be revised by human authors through multiple reports based on the evolutionary processes explained in this disclosure to ultimately match the writing skills (or preferences) of human authors.

[0312] As a result of this disclosure, the computer system learns the writing style (or preferences) of each human author and can automatically generate various reports for him / her based on his / her writing style (or preferences).

[0313] One or more of the examples above are based on anti-money laundering applications in financial institutions. However, this disclosure can also be applied to many other different types of applications for different organizations and purposes. For example, a smart alarm system can be used by a government organization to identify any employee who may potentially steal confidential information from the government. A smart alarm system can be used by a school to identify any student who may potentially drop out. A smart alarm system can be used by a social networking company to identify any member who may potentially engage in illegal activities on the social network. A smart alarm system can be used by an employer to identify any employee who may potentially resign. A smart alarm system can be used by a marketing company to identify targets for potential business transactions. A smart alarm system can also be a mobile application used by individuals to identify potential stocks or commodities for investment purposes. As a public health application, a smart alarm system can be a mobile app that monitors a person's health status and sends a message if there is a potential health problem. There are countless applications for smart alarm systems. The following process is an example of how a smart alarm system is designed and developed to monitor a group of subjects for any specific purpose.

[0314] In one configuration, the intelligent alert system assigns scores to various factors. Alternatively, the intelligent alert system assigns a score to each degree of each factor. The degree of a factor is used to distinguish different levels of influence of that factor. For example, outgoing wire transfers are a risk factor considered for anti-money laundering purposes. However, the amount of USD in the wire transfer may have different influences. For example, from 0 to... A wire transfer of 10,000 carries a low level of money laundering risk, while from... 250,000 to A wire transfer of 1,000,000 may pose a high level of money laundering risk. Factors can be based on data associated with entities that have a positive or negative impact on achieving the objective. The intelligent alert system assigns a score to each factor. The intelligent alert system can identify the possible degree of factors in data associated with entities that have a positive or negative impact on achieving the objective. The intelligent alert system assigns a score to each degree of each factor. In one configuration, the intelligent alert system generates a total score for each monitored entity by summing all scores for factors or degrees of factors associated with that entity.

[0315] Intelligent alarm systems use a set of scenarios based on different criteria. Criteria may include factors from data associated with a subject, the degree of factors from data associated with a subject, and / or scores derived from data associated with a subject. Additionally or alternatively, criteria may be based on rules derived from decision trees, specific categories associated with a subject, if-then conditional formats derived from models trained by machine learning networks, if-then conditional formats derived from behavioral patterns, if-then conditional formats derived from transaction patterns, factors established by software modules, and / or factors established by the system's users or designers.

[0316] The above methods are used to establish scenarios for the intelligent alarm system. These scenarios can trigger alarms to generate potential cases, and each potential case can have one or more scenarios in its cause vector. The intelligent alarm system can list a set of potential cases triggered by one or more scenarios. Investigators can review potential cases to determine which cases are true affirmations and which are false affirmations. Additionally, investigators can review current potential cases together with historical potential cases to determine which combinations of cases are true affirmations or false affirmations.

[0317] In one configuration, the intelligent alert system enables investigators to examine scenarios of potential cases to determine which scenario combinations generate true affirmations and which generate false affirmations. The intelligent alert system also provides investigators with the ability to examine current potential case scenarios alongside scenarios of historical potential cases to determine which scenario combinations are true affirmations and which are false affirmations.

[0318] Although the combined cause vector is derived from a combination of multiple cause vectors, it has the same form as a single cause vector. By definition, the combined cause vector is a cause vector that combines cases. Therefore, the conditional probability of the combined cause vector... P(S / cbv) conditional probability of cause vector P(S / x) It can be calculated using a similar method.

[0319] Furthermore, while causal vectors (or combined causal vectors) can trigger potential cases for investigation, the reasons for reporting a case can be based on a subset of the scenarios for which the causal vectors are derived. To maintain the accuracy of posterior probability calculations, it is desirable to identify, for true certainty, a subset of scenarios that form the true causal vectors.

[0320] The intelligent alert system provides investigators with the ability to examine the scenarios of potential cases to identify true cause vectors if a potential case is confirmed. If a combination of potential cases is confirmed, investigators can examine the scenarios of the combined potential cases to identify true cause vectors. The intelligent alert system can store the investigation results and associated cause vectors (or true cause vectors) for each potential case. As explained earlier, once the true cause vectors have been identified, the set of scenarios constituting the true cause vectors can be used to generate a narrative set, and the SAR form can be automatically filled and sent to FinCEN.

[0321] In one configuration, the intelligent alarm system stores the investigation results of combined cases and the associated combined cause vectors (or true combined cause vectors) for the combined cases. Each combined cause vector (or true combined cause vector) may consist of one or more scenarios. The results and other information may be stored in a database or other data structures.

[0322] After investigators have used the intelligent alert system for some time, the system accumulates a large amount of data associated with the subject. This data may include historical potential cases, historical investigation results (e.g., true or false positivity), and associated causal vectors (or true causal vectors). As a result, the system's accuracy can improve with increased system use. That is, the system's accuracy can be improved through data accumulation.

[0323] For clarity, the cause vector or true cause vector will generally be referred to as cause vector in the following text. Furthermore, the cause vector in the following text will generally include both cause vector and combined cause vector. Therefore, cause vector generally refers to cause vector, combined cause vector, true cause vector, and / or true combined cause vector.

[0324] In one configuration, once the amount of historical data exceeds a threshold, the system calculates a conditional probability for each cause vector. The threshold can be based on the number of true cases, the number of potential cases, the data size, and / or other factors. The conditional probability based on a cause vector for a given time period is the number of true positives triggered by that cause vector divided by the total number of potential cases triggered by that cause vector.

[0325] In one aspect of this disclosure, when the conditional probability of a cause vector is below a false positive rejection threshold, the intelligent alarm system will reject potential cases triggered by that cause vector as false positives. The false positive rejection threshold can be set by a software module, by personnel designing the system, by personnel adjusting the system, and / or by users of the system.

[0326] In some cases, if potential cases triggered by a causal vector consistently have low conditional probabilities, the scenarios associated with that causal vector may not be properly defined. In such cases, the user adjusts the scenarios of the causal vector so that these scenarios will increase the probability of prediction. Intelligent alarm systems can prompt users to make such changes.

[0327] An intelligent alarm system can accept a potential case triggered by a cause vector as a true affirmative if the conditional probability of that cause vector is higher than a true affirmative acceptance threshold. The true affirmative acceptance threshold can be set by the software module, the system designer, the system administrator, and / or the system user.

[0328] A vector with multiple elements can be transformed into a combination of multiple vectors. For example, vector A has three elements: v1, v2, and v3. In this example, vector A can be a combination of three vectors (e.g., vector B with element v1, vector C with element v2, and vector D with element v3). For clarity, vector A is referred to as the parent vector. Vectors B, C, and D can be referred to as child vectors. In the following disclosure, the parent vector will be considered as the parent vector.

[0329] The example above assumes that the subvector has only one element. In general, a subvector can have multiple elements. For example, the vector A in the example above could have subvectors containing elements v1 and v2. Because each element can be included in or excluded from the parent vector to form a subvector, a parent vector with N elements can have a total of 2... N There are 2 possible combinations, including itself with all N elements and an empty vector with no elements. Therefore, a parent vector with N elements can have 2 N - Two possible meaningful subvectors. Each element of the cause vector corresponds to a scenario. When an element is one, the corresponding scenario is included. When an element is zero, the corresponding scenario is excluded. A subset of the scenarios in the parent cause vector can form the scenarios in the subcause vector.

[0330] Generally speaking, increasing the number of scenarios in a causal vector can increase the conditional probability value of that causal vector. For example, if the first causal vector has only scenario A as its vector element, while the second causal vector has both scenario A and scenario B as its vector elements, then the second causal vector should have the same conditional probability value as the first causal vector or a higher conditional probability value than the first causal vector.

[0331] Therefore, compared to any of the child vectors of the parent cause vector, the parent cause vector has the same or higher conditional probability value. That is, if a child vector already has a conditional probability value higher than the true affirmative acceptance threshold, then the conditional probability value of the parent cause vector is also greater than the true affirmative acceptance threshold.

[0332] In one configuration, when the conditional probability value of one of the subvectors of the cause vector is equal to or greater than a threshold, the intelligent alarm system accepts a potential case triggered by that cause vector as a true positive. The threshold can be set by the software module, the system designer, the system regulator, and / or the system user.

[0333] Current potential cases can be combined with a set of historical potential cases to form a combined cause vector. When the conditional probability value of one subvector in the combined cause vector is equal to or greater than a threshold, the intelligent alarm system can accept the combined cause vector of the potential case as a true positive. The threshold can be set by the software module, the system designers, the system administrators, and / or the system users.

[0334] Intelligent alarm systems may struggle to try all possible combinations of historical potential cases to determine whether a specific combination of historical and current potential cases would meet the automatic true positive acceptance criterion. Therefore, in one configuration, the intelligent alarm system accepts the combined cause vector as a true positive when the conditional probability value of one subvector of the combined cause vector is equal to or greater than a threshold. This threshold can be set by the software module, the system designer, the system regulator, and / or the system user.

[0335] Generally, all potential cases related to a single entity may be related to each other. Additionally, all potential cases related to a group of related entities may be related to each other. For example, if five students live in the same dormitory, then all potential cases related to any one of those five students are related cases. The scope of relationships used to define related potential cases can be set by the software module, the system designer, the system regulator, and / or the system user.

[0336] If the intelligent alarm system has been used for an extended period, using all relevant potential cases may be impractical or inefficient. That is, the number of relevant potential cases may be excessive, thus degrading performance. Therefore, it may be desirable to limit the scope of relevant cases to a specific time period. In one configuration, a combined cause vector can be generated from the current potential cases and a set of relevant historical potential cases that occurred within a predefined time period. The intelligent alarm system can accept the combined cause vector as a true positive when the conditional probability value of a subvector of the combined cause vector is equal to or greater than a threshold. The threshold can be set by the software module, the system designer, the system regulator, and / or the system user. The predefined time period is set by the software module, the system designer, the system regulator, and / or the system user.

[0337] The intelligent alert system provides investigators with the opportunity to investigate cases that were not automatically rejected as false affirmations and were not automatically accepted as true affirmations. The intelligent alert system records the investigation results of each potential case and the associated causal vector for that potential case. This information can be used to calculate the future conditional probability value of the causal vector.

[0338] Because intelligent alarm systems continue to use investigation results to further adjust future conditional probability values, they can adapt to changes in the future environment. The more potential cases an intelligent alarm system can handle without human intervention, the fewer potential cases are left for investigators to handle.

[0339] Intelligent alarm systems can automatically exclude cases that are accepted as true affirmatives or rejected as false affirmatives from the calculation of posterior probability values. This method avoids problems caused by positive feedback. For example, if determined by cause vectors... x If the triggered potential case has been automatically accepted as a true affirmative, then if the outcome of that case is included in the cause vector... x In the calculation of the posterior probability value, the conditional probability... p(S / x) The value of may increase. Therefore, due to the cause vector x The next potential case triggered may be automatically accepted as a true affirmative. (Based on the cause vector) x The automatic acceptance of future potential cases triggered by the cause vector will continue as the posterior probability value continues to rise. In other words, once a potential case triggered by the cause vector has been automatically accepted as a true positive, then if the accepted case is included in the calculation of the posterior probability value of the cause vector, all future potential cases triggered by the same cause vector will be automatically accepted as true positives. This is undesirable because this "no-return" process deprives the intelligent alarm system of the ability to readjust itself when the environment changes in the future.

[0340] In one configuration, the intelligent alarm system does not automatically reject a potential case when its conditional probability value is below the false positive rejection threshold. As a result, investigators can fine-tune the conditional probability value using this potential case. For reference, this case is referred to as a false positive verification case. The number, percentage, and / or frequency of false positive verification cases are determined by the software module, the personnel who designed or tuned the system, and / or the users of the system.

[0341] Additionally, in some cases, when the conditional probability value of a potential case exceeds the true affirmative acceptance threshold, the intelligent alarm system may not automatically accept the potential case as a true affirmative. As a result, investigators can fine-tune the conditional probability value using this potential case. For clarity, this case is referred to as a true affirmative verification case. The number, percentage, and / or frequency of true affirmative verification cases are determined by the software module, the personnel who designed or tuned the system, and / or the users of the system.

[0342] In some cases, certain entities are treated differently for various reasons. For example, some entities are placed on a "no-comparison list" or a "white list." Potential cases associated with entities on such lists can be considered false positives and do not require review. Similarly, for other purposes, potential cases associated with entities on another list can be considered true positives and do not require review.

[0343] Because these cases are treated differently, they are considered outliers. The goal is to exclude these outliers from the calculation of the posterior probability value. The intelligent alert system can skip potential cases associated with subjects on a "non-comparison list" or "white list." Skipped cases can be excluded when calculating the posterior probability value of the cause vector.

[0344] In some cases, alerts triggered by scenarios concerning a subject may result in false alarms because the scenario is not suitable for monitoring that subject. For example, a cash-intensive business may naturally have more cash than other types of businesses, and comparing cash amounts between that business and others may not be meaningful or appropriate. In this case, investigators can mark the scenario as verified for that subject. This means that the scenario has already been verified by investigators for that subject, and if another alert is triggered by this scenario for that subject, no action is required. Therefore, potential cases triggered by scenarios with a verified status are also considered outliers.

[0345] In one configuration, the intelligent alert system skips a potential case associated with a subject that has a verified state regarding the scenario that triggered the potential case. The intelligent alert system does not include the skipped case in the calculation of the posterior probability value of the cause vector.

[0346] When an investigator rejects a potential case as a false positive, the intelligent alert system prompts the investigator to determine whether the scenario that triggered the potential case should be marked as verified. If the scenario is not marked as verified, it may trigger another false positive in the future. Therefore, it is desirable to mark the scenario as verified when a potential case triggered by that scenario is determined to be a false positive.

[0347] The number of potential cases used to calculate the conditional probability value can also affect the reliability of that conditional probability value. For example, if it has already been calculated using a cause vector... x If only one potential case is triggered, and that potential case has already been accepted by the investigator as a true affirmative, then the conditional probability is... p(S / x) It may be unreliable, even if it has a value of 100%. However, if it has already been determined by the cause vector... x Five potential cases are triggered, and the conditional probability is... p(S / x) If the conditional probability is 100%, then it is likely more reliable than the previous example.

[0348] When the conditional probability of a cause vector is less than threshold A and the number of potential cases triggered by that cause vector and used to calculate the conditional probability is greater than threshold B, the intelligent alarm system can automatically reject potential cases triggered by that cause vector as false positives. Each of thresholds A and B can be set by the software module, the person designing or adjusting the system, and / or the user of the system.

[0349] When the conditional probability of a cause vector is higher than threshold A and the number of potential cases triggered by that cause vector and used to calculate the conditional probability is greater than threshold B, the intelligent alarm system can automatically accept the potential cases triggered by that cause vector as true positives. Each of thresholds A and B can be set by the software module, the personnel designing or adjusting the system, and / or the system user.

[0350] When intelligent alert systems automatically accept potential cases as true affirmatives or reject them as false affirmatives based on conditional probability thresholds, it may be desirable to use different conditional probability thresholds for subjects in different categories. For example, even if the conditional probability of a current potential case is below the true affirmative acceptance threshold, financial institutions may still submit SARs for potential cases related to subjects who are suspects in past SAR cases.

[0351] In one configuration, the intelligent alert system uses different true positive acceptance thresholds and false positive rejection thresholds for subjects in different categories. These different categories can be defined by the software modules, the personnel designing or configuring the system, and / or the users of the system. In examples of anti-money laundering applications, these categories may include: customers who were previously suspected by a SAR, customers who previously matched the OFAC list, customers who previously matched the 314(a) list, customers who previously matched the politically exposed persons list, customers who previously matched other watch lists, high-risk customers, medium-risk customers, low-risk customers, high-risk counterparties, medium-risk counterparties, low-risk counterparties, high-risk countries, medium-risk countries, low-risk countries, high-risk regions, medium-risk regions, low-risk regions, high transaction amounts, medium transaction amounts, low transaction amounts, etc.

[0352] Because these categories can also be factors (e.g., risk factors) used for score (e.g., risk score) allocation and calculation purposes, it is desirable to use different true affirmative acceptance thresholds and false affirmative rejection thresholds for different factors. In one aspect of this disclosure, an intelligent alarm system allows users to assign true affirmative acceptance thresholds and false affirmative rejection thresholds to each factor.

[0353] In one configuration, the intelligent alert system accepts a potential case as a true affirmative if the conditional probability of the cause vector is higher than one of the true affirmative acceptance thresholds for the factors associated with the potential case. Conversely, the intelligent alert system may reject a potential case as a false affirmative if the conditional probability of the cause vector is lower than one of the false affirmative rejection thresholds for the factors associated with the potential case.

[0354] When many factors are involved, such an approach can be complex. Therefore, it is desirable to select only a few important factors and assign different true affirmative acceptance and false affirmative rejection thresholds. In one configuration, the intelligent alarm system allows the user to select a set of factors and assign a true affirmative acceptance threshold to each selected factor. The user can also select a set of factors and assign a false affirmative rejection threshold to each selected factor.

[0355] Therefore, if the conditional probability of the cause vector is higher than one of the true affirmative acceptance thresholds among the selected factors associated with the potential case, the intelligent alarm system can treat the potential case triggered by that cause vector as a true affirmative acceptance. Conversely, if the conditional probability of the cause vector is lower than one of the false affirmative rejection thresholds among the selected factors associated with the potential case, the intelligent alarm system can treat the potential case triggered by that cause vector as a false affirmative rejection.

[0356] To increase accuracy, it is desirable that the total number of potential cases exceeds a threshold when calculating conditional probabilities. The threshold can be the number of cases or a period of time. The threshold can be set by the user as needed.

[0357] In one configuration, the intelligent alarm system records potential incidents, investigation findings, associated cause vectors, and the date and time when the record was created. The intelligent alarm system can calculate cause vectors. x The conditional probability, which is determined by the cause vector. x The number of true positives triggered divided by the number of causes vectors x The total number of potential cases triggered.

[0358] After calculating the conditional probability value, the intelligent alarm system also records additional values ​​in the database, such as: (1) up to that time, determined by the cause vector. x The number of true positives triggered; (2) the number of causes up to that time. x The total number of potential cases triggered; and (3) the calculated date and time, which may be referred to as the cause vector. x The last computation time. As a result of storing these additional values, the intelligent alarm system does not need to repeat the same computation to generate the cause vector again. x They obtained the same value.

[0359] Intelligent alarm systems can update cause vectors x The conditional probability, which is based on the cause vector (before the last calculation). x The number of true positives triggered (including and after the last computation time) is determined by the cause vector. x The sum of the number of true positives triggered, divided by (before the last calculation time) by the cause vector. x The total number of potential cases triggered (including and after the last calculation time) is calculated using the cause vector. x The sum of potential cases triggered.

[0360] In the above calculation, the number of true affirmations triggered by cause vector x (before the last calculation time) plus the number of true affirmations triggered by cause vector x (after and including the last calculation time) plus the number of true affirmations triggered by cause vector x at the current calculation time. x The number of true positives triggered is the same. Similarly, (before the last computation time) by the cause vector x The total number of potential cases triggered, plus (after and including the last calculation time) from the cause vector. x The total number of potential cases triggered is related to the cause vector at the current calculation time. xThe total number of potential cases triggered is the same. Therefore, the above calculations will achieve the same conditional probability. p(S / x) The conditional probability is determined by the cause vector. x The number of true positives triggered divided by the number of causes vectors x The total number of potential cases triggered.

[0361] (Before the last calculation) by the cause vector x The sum of the number of true positives triggered (including and after the last computation time) is determined by the cause vector. x The number of true positives for each trigger can be stored in the database after the last calculation of the conditional probabilities. Therefore, the intelligent alarm system can search the database to find these two values. Thus, the intelligent alarm system calculates two new values ​​based on the time since the last calculation and including potential cases detected in the last calculation. This method has reduced many computations, which in turn reduces the amount of data stored in memory.

[0362] In one aspect of this disclosure, once the calculation of conditional probability values ​​has been completed, in addition to potential cases, investigation results, and causal vectors... x In addition, the intelligent alarm system also stores additional values, such as: (1) the values ​​up to that time from the cause vector. x The number of true positives triggered; (2) the number of causes up to that time. x The total number of potential cases triggered; and (3) the calculated date and time, which may be referred to as the cause vector. x The new last computation time. As a result, these values ​​will simplify the interpretation of the cause vector. x The next round of calculation of the conditional probability of the triggered potential cases.

[0363] The above method can be further modified during the software coding process. In one aspect of this disclosure, the intelligent alarm system is a cause-vector system. x Maintain two counters: one for the number of true positives (NTPX) and the other for the number of potential cases (NPCX).

[0364] In one aspect of this disclosure, the intelligent alarm system resets both counters NTPX and NPCX to zero to begin counting. As an example, this is achieved by using a cause vector. x The triggered potential cases can be manually reviewed by investigators and determined to be true. In this example, the intelligent alarm system increments the NTPX counter by one because the manually reviewed case is determined by the cause vector. x The number of true positives triggered has increased by one. For the current example, the system also increments the NPCX counter by one, because of the cause vector. x The number of potential cases triggered has increased by one.

[0365] As another example, derived from the cause vector x The triggered potential case was manually reviewed by the investigator and determined to be a false positive. In this example, the intelligent alarm system incremented the NTPX counter by zero because the manually reviewed case was determined by the cause vector. x The number of true positives triggered does not increase, and the NPCX counter is incremented by one, because of the cause vector. x The number of potential cases triggered has increased by one.

[0366] In a configuration, there is a cause vector x Conditional probability of triggering new potential cases p(S / x) It is NTPX divided by NPCX. This method can reduce the computation of conditional probabilities. p(S / x) This reduces complexity and simplifies software coding.

[0367] Although the example uses a cause vector x However, the above method can be used for any cause vector. A smart alarm system may have many pairs of counters, each pair corresponding to a cause vector. As explained earlier, the total number of pairs is finite because only a very small number of scenarios can coexist on the same cause vector to trigger a potential case.

[0368] By using the methods described above, intelligent alarm systems can reduce the amount of time spent on calculations. Furthermore, the accuracy of conditional probability values ​​increases when more potential cases are used in the calculations to derive the conditional probability values.

[0369] As intelligent alert systems continue to learn from human workers, it's only a matter of time before they automatically detect alerts, decide to submit SARs, complete SAR forms, write narratives, and send SAR forms to FinCEN. Intelligent alert systems will reduce human resources and handle SAR compliance matters in a manner similar to how humans handle such matters.

[0370] Although the detection of suspicious activity, the investigation of SAR cases, and the submission of suspicious activity reports are used as examples, the same set of methods in this disclosure can be used to handle the detection of currency transactions, the investigation of CTR cases, and the submission of cash transaction reports (CTRs) to FinCEN.

[0371] Similarly, the same set of methods in this disclosure can be used to handle the detection of potential OFAC matches, the investigation of potential matches, and the reporting of actual matches to the Office of Foreign Assets Control (OFAC). In this case, the relative relevance (RC) value used to measure the degree of matching is equivalent to the risk score used to measure the degree of risk. Therefore, instead of using a risk score-based scenario, the intelligent alert system can use an RC-based scenario.

[0372] The OFAC list is just one example among many regulatory lists. The same set of methods in this disclosure can be used for the detection, investigation, and reporting of matches against all types of regulatory lists, such as the 314(a) list, the Denied Persons list, the Politically Exposed Persons list, and any other lists issued by government organizations and / or non-governmental organizations. Those familiar with regulatory compliance requirements will understand that this set of methods can be used to detect, investigate, and report on any entity seeking compliance with any type of regulatory reporting requirement.

[0373] As discussed, this disclosure describes a set of methods that can be used by intelligent alarm systems for any application and purpose. Whenever an application involves alarm generation, alarm review by humans, and subsequent actions by humans in response to the results of the alarm review, the intelligent alarm system will gradually learn from humans, make decisions on behalf of humans, and perform subsequent actions on their behalf. As a result, the intelligent alarm system will reduce human work and time, and can replace some or all of the human labor in such applications.

[0374] As envisioned in the aforementioned aspects, one of the many possible combinations is described below as an example. The intelligent alarm system 500 and the computer network 600 (such as a local area network) enable BSA officers 100, compliance officers 200, investigators 300, and other responsible persons 400 to comply with different types of laws and regulations and to send SAR cases directly to another computer system 700 located at FinCEN, such as... Figure 1 As shown.

[0375] Compliance Officer 200 configures and / or adjusts parameters of Computer System 500 via Computer Network 600. Computer System 500 uses internal workflow functions to send potential cases to Investigator 300 via Computer Network 600. After investigation, Investigator 300 sends the potential case and her investigation results to Computer System 500 via Computer Network 600. Computer System 500 uses internal workflow functions to send the potential case and investigation results to BSA Officer 100 via Computer Network 600 for approval. After BSA Officer 100 approves the investigation results, if the potential case is confirmed, Computer System 500 receives that approval from BSA Officer 100 via Computer Network 600. Computer System 500 then sends the confirmed case to Computer System 700 at FinCEN.

[0376] In some smaller financial institutions, the same person may have multiple job responsibilities. For example, one person could be a BSA officer, compliance officer, and investigator. In such cases, the intelligent alert system uses its internal workflow capabilities to assign different tasks to the person based on their different responsibilities at different stages of the workflow.

[0377] After the computer system 500 has gradually learned from the experience of investigator 300, it will become more intelligent and will automatically accept a potential case as a true affirmative if the conditional probability of the case is higher than a predefined value. In this case, the computer system 500 sends the true affirmative directly to the computer system 700 at FinCEN without any human intervention. The more the computer system 500 is used by investigator 300, the more intelligent it becomes. It is expected that the computer system 500 will eventually handle almost all potential cases autonomously with minimal human intervention.

[0378] like Figure 2 Flowchart combined Figure 1As shown in the system diagram, computer system 500 is used for anti-money laundering applications. First (Box 2001), computer system 500 receives background and transaction data of customers from financial institutions. Then (Box 2002), computer system 500 assigns a risk score to each risk factor in the data. Compliance officer 200 has the option to adjust the risk scores via network 600. Then (Box 2003), computer system 500 assigns a risk score to the degree of each risk factor in the data. Compliance officer 200 also has the option to adjust the risk scores via network 600. After the risk scores have been assigned and adjusted, computer system 500 calculates a total risk score for each customer (Box 2004). Furthermore (Box 2005), computer system 500 establishes detection scenarios based on the risk score set. Compliance officer 200 has the option to adjust the scenarios via network 600. Furthermore (Box 2006), computer system 500 establishes detection scenarios based on non-risk score sets. Compliance officer 200 also has the option to adjust the scenarios via network 600. After the scenario has been established and adapted, computer system 500 uses the scenario to detect potential cases (box 2007). Computer system 500 uses its workflow capabilities to communicate with investigator 300 and BSA officer 100 via network 600 based on the following mechanism (box 2008): Computer system 500 sends potential cases to investigator 300 via network 600. Investigator 300 investigates the potential cases and sends the investigation results to computer system 500 via network 600. Computer system 500 sends the investigation results to BSA officer 100. BSA officer approves the investigation results and sends the approval to computer system 500 via network 600. After the investigation results are approved by BSA officer 100, computer system 500 stores the potential case, investigation results, and associated cause vector along with a timestamp in a database (box 2009). BSA officer 100 instructs computer system 500 to report a true positive to FinCEN via network 600. Computer system 500 will send a true / false signal to computer system 700 at FinCEN based on the FinCEN communication protocol.

[0379] Figure 3 A flowchart for reporting potential money laundering cases according to various aspects of this disclosure is shown. According to various aspects of this disclosure, computer system 500 increases its ability to detect true and certain cases after accumulating potential cases, investigation results, and causal vectors (as explained above) for a period of time. Computer system 500 uses a set of true and certain acceptance thresholds. Compliance officer 200 approves the true and certain acceptance thresholds via network 600.

[0380] like Figure 3As shown, in box 3001, computer system 500 detects a potential case triggered by cause vector x. Then (box 3002), computer system 500 calculates the conditional probability p(S / x) of cause vector x. Computer system 500 compares the conditional probability value of cause vector x with a set of true affirmative acceptance thresholds (decision box 3003). If the conditional probability value of cause vector x exceeds any of the thresholds ("Yes" branch 3005), computer system 500 sends the potential case as a true affirmative to computer system 700 at FinCEN (box 3011). If the conditional probability value does not exceed any of the thresholds ("No" branch 3004), computer system 500 sends the potential case to investigator 300 via network 600 for manual investigation (box 3006). Investigator 300 sends the investigation results to computer system 500 via network 600. Computer system 500 sends the investigation results to BSA officer 100 via network 600. Computer system 500 receives approval of the investigation results from BSA officer 100 via network 600. Upon approval, computer system 500 stores the potential case, investigation results, timestamp, and associated cause vector in a database, and the stored information is used for future calculations of the conditional probability value of cause vector x (box 3007). Furthermore, computer system 500 determines whether the investigation results indicate a true affirmative of the potential case (decision box 3008). If the potential case is a true affirmative (“Yes” branch 3010), computer system 500 sends this true affirmative to computer system 700 at FinCEN (box 3011). If the potential case is not a true affirmative (“No” branch 3009), computer system 500 rejects the potential case as a false affirmative.

[0381] In box 3003, computer system 500 compares the conditional probability value of cause vector x with a set of true affirmative acceptance thresholds to determine whether computer 500 can automatically accept a potential case as a true affirmative. However, if the total number of potential cases previously triggered by cause vector x is very small, the conditional probability value of cause vector x may be unreliable. In this case, computer system 500 can still send potential cases to investigator 300 via network 600 for manual investigation (box 3006).

[0382] However, as explained above, if the conditional probability value of one of the subvectors of the cause vector x is reliable and above any of the true affirmative acceptance thresholds, computer system 500 may still send the potential case as a true affirmative to computer system 700 at FinCEN (box 3011).

[0383] like Figure 4 Flowchart combined Figure 1As shown in the system diagram, computer system 500 uses a method based on the investigation results of investigator 300 to calculate the conditional probability p(S / x) of cause vector x. Computer system 500 uses counter NTPX to count the number of true affirmations triggered by cause vector x. Additionally, computer system 500 uses counter NPCX to count the total number of potential cases triggered by cause vector x. In the initial stage, computer system 500 sets the values ​​of both counters to zero. Once a potential case is detected, computer system 500 determines whether the potential case was triggered by cause vector x (decision box 4002). If the potential case was not triggered by cause vector x ("No" branch 4004), the process ends (box 4005) and computer system 500 moves to the next potential case. If the potential case was triggered by cause vector x ("Yes" branch 4003), computer system 500 determines whether manual handling of the potential case is required (decision box 4006). As explained above, sometimes a potential case may have exceeded the true affirmation acceptance threshold and does not require manual handling. Sometimes, even though a potential case has exceeded the true positive acceptance threshold, it may still require a manual process, allowing investigator 300 to further enhance the accuracy of the conditional probability value. If the potential case will not be handled manually (“No” branch 4008), computer system 500 will handle it in another way (e.g., automatically sending a true positive to computer system 700 at FinCEN). Therefore, since there was no manual investigation and the conditional probability is unaffected by the potential case, the process ends (box 4005) and computer system 500 moves on to the next potential case.

[0384] If a potential case is to be handled manually ("Yes" branch 4007), the computer system 500 determines whether the potential case needs to be reviewed, such as investigated (decision box 4009). For example, as explained earlier, if the customer is on the non-comparison list, the computer system 500 should skip the potential case, and the conditional probability should not be affected by the skipped case because it is an outlier. Therefore, if the potential case does not need to be reviewed ("No" branch 4011), the process ends (box 4005) and the computer system 500 moves on to the next potential case.

[0385] If a potential case requires review (“Yes” branch 4010), several events may occur, as explained above. For example, computer system 500 sends the potential case to investigator 300 via network 600. Investigator 300 sends the investigation results to computer system 500 via network 600. Computer system 500 sends the investigation results to BSA officer 100 via network 600. Computer system 500 receives approval of the investigation results from BSA officer 100 via network 600. Based on the investigation results, computer system 500 determines whether the potential case is true (decision box 4012).

[0386] If the potential case is not true (“No” branch 4014), the computer system 500 increments the NTPX counter by zero and the NPCX counter by one (box 4016), and then stores the investigation results and the date and time of the investigation decision together with the potential case and the cause vector x in the database (box 4017).

[0387] If the potential case is true (“Yes” branch 4013), the computer system 500 increments the NTPX counter and the NPCX counter by one (box 4015), and then stores the investigation results and the date and time of the investigation decision along with the potential case and cause vector x in the database (box 4017). Then, the process ends (box 4005) and the computer system 500 moves on to the next potential case.

[0388] The cause vector of a potential case limits the possible causes reported for that potential case. Therefore, two potential cases from two different clients may have the same cause vector. Although the cause vector x is used in the above explanation, there may be many cause vectors. Each cause vector may have a similar... Figure 4 The flowchart. For example, it can also be used with... Figure 4 The same approach shown in the flowchart handles the cause vector. y The exception to the potential cases that are triggered is the use of counters NTPY and NPCY instead of counters NTPX and NPCX.

[0389] Because the above method has already identified the cause vector through the NPCX counter. x The total number of potential cases triggered is manually investigated by investigators 300, so the computer system 500 can also determine whether the conditional probability values ​​are reliable. For example, if NPCX has a value of 1 or 2, then the causal vector... xThe conditional probability value (e.g., NTPX / NPCX) may be unreliable. However, if the NPCX value is greater than a threshold, the conditional probability value of the cause vector x becomes very reliable. Therefore, the computer system can set a true acceptance threshold for the cause vector x under the condition that the NPCX value is greater than a predefined value. This predefined value can be set by the software module, the person who designed the system, the person who tuned the system, and / or the user of the system.

[0390] like Figure 5 Flowchart combined Figure 1 As shown in the system diagram, computer system 500 gradually learns the writing style of investigator 300, enabling computer system 500 to automatically generate reports for investigator 300. As explained earlier, each subject (e.g., a client) may have its own corresponding set of facts. The position of facts relative to linking words is often referred to as format. The relative position of linking words and each fact fragment (e.g., format) broadly defines the writing style of a human author. Human authors can modify linking words, the position of facts, or add or delete fact fragments to complete the report.

[0391] First, computer system 500 generates a report based on the default set of linked terms and the default format, along with the fact set of the current subject (box 5002). Then (decision box 5003), computer system 500 determines whether investigator 300 has modified the previous report generated by computer system 500. If investigator 300 has not modified the previous report ("No" branch 5004), investigator 300 does not need to make additional modifications to the current report, and the current report can be sent to BSA officer 100 for approval (or alternatively, if investigator 300 has the authority to send the report directly to FinCEN, the current report is sent to computer system 700 at FinCEN).

[0392] If investigator 300 modifies a previous report generated by computer system 500 (“Yes” branch 5005), computer system 500 sends the current report to investigator 300 for review and modification (box 5006). Then, after investigator 300 has completed the review, the report is sent back to computer system 500 (box 5007).

[0393] Computer system 500 then determines whether investigator 300 has made any modifications to the current report (decision box 5008). If investigator 300 has not modified the current report ("No" branch 5009), the existing default keyword set and existing default formatting have successfully matched investigator 300's writing style and can be used for future reports. If investigator 300 has modified the current report ("Yes" branch 5010), computer system 500 will use the keyword set modified by investigator 300 as the default keyword set and formatting (e.g., the location of facts) for the next body (box 5011).

[0394] The above process will be repeated for subsequent subjects. The computer system 500 enables the investigator 300 to continue modifying the link words and format for subsequent subjects until the report generated by the computer system 500 has successfully matched the investigator 300's writing style, without requiring any modifications from the investigator 300.

[0395] After computer system 500 has successfully generated a report that matches the writing style of investigator 300, it can still periodically send its reports to investigator 300 so that if investigator 300 changes its writing style, computer system 500 can adapt. This continuous learning process is desirable to allow computer system 500 to adapt to changing needs. The frequency with which reports are sent to investigator 300 for the purpose of adapting computer system 500 to changes in writing style can be determined by the system's designers, users, engineers, or computer algorithms that adjust themselves based on investigator 300's past behavior.

[0396] In this disclosure, thresholds, predefined values, or parameters that can be set by a person (such as a designer, user, etc.) can also be set by an intelligent system that learns a person's preferences by evaluating that person's past behavior.

[0397] In this disclosure, the term "network" generally refers to one or more communication networks, which may be wireless or wired, private or public, real-time or non-real-time, or a combination thereof, and includes the well-known Internet.

[0398] In this disclosure, the terms “computer” or “computer system” generally refer to a computer or a group of computers that can work individually or together to achieve the purpose of the system.

[0399] In this disclosure, the term "processor" generally refers to a processor or a group of processors that can work individually or together to achieve the purpose of the processor.

[0400] In this disclosure, the term "module" refers to a single component or multiple components, which may be hardware, software, firmware, or a combination thereof, and may work individually or together to achieve the purpose of the module.

[0401] In this disclosure, "bank" or "financial institution" generally refers to a financial services provider, whether bank or non-bank, that provides financial and monetary services. Some examples of financial institutions include: banks, credit unions, insurance companies, insurance agents, stockbrokers, bond brokers, commodity brokers, securities companies, mortgage companies, mortgage brokers, money service companies, agents of money service companies, agents of organizations that provide financial or monetary services, financial holding companies, trading companies, trading agents, other financial service providers, other financial agents, stock exchanges, commodity exchanges, securities exchanges, currency exchanges, virtual currency companies, virtual currency issuers, virtual currency service providers, virtual currency network providers, virtual currency computer providers, virtual currency traders, virtual currency exchanges, virtual securities exchanges, bond exchanges, other exchanges, fund managers, investment companies, private equity firms, venture capital firms, merchant acquiring institutions, payment processors, payment card issuers, payment card project managers, internet merchants, transaction processors, securities processors, and other organizations related to financial services.

[0402] In this disclosure, "bank account" or "financial account" generally refers to an account associated with a financial institution, whether bank or non-bank, in which financial transactions can be conducted through financial instruments such as: cash, virtual currency, virtual bills, virtual securities, checks, credit cards, debit cards, ATM cards, stored-value cards, gift cards, prepaid cards, wire transfers, financial instruments, letters of credit, banknotes, securities, commercial paper, commodities, securities, precious metals, electronic funds transfers, automated clearinghouses, etc.

[0403] In this disclosure, "financial transaction" generally refers to transactions related to financial activities, including but not limited to payments, fund transfers, money services, securities issuance, securities trading, currency exchange, commodity trading, payrolls, invoicing, trade, custody, insurance, underwriting, mergers, acquisitions, account opening, account closing, account status checks, etc.

[0404] In this disclosure, “trading” generally refers to private and public trading activities, including but not limited to the trading of stocks, currencies, virtual currencies, virtual notes, virtual securities, commodities, rights, value, securities, derivatives, goods, services, and commodities.

[0405] In this disclosure, “securities” generally refers to the terms as defined in the Securities Act of 1933 and other laws and regulations relating to the Securities Act of 1933. For example, securities may generally include: banknotes, stock certificates, bonds, corporate bonds, cheques, bills of exchange, warrants, traveler’s checks, letters of credit, warehouse receipts, negotiable bills of lading, certificates of debt, certificates of interest or certificates of participation in any profit-sharing agreement, certificates of mortgage trusts, pre-organization certificates or subscriptions, transferable shares, investment contracts, certificates of voting rights trusts; valid or blank motor vehicle titles; tangible or intangible property rights certificates; negotiable instruments, documents or written materials proving ownership of goods, merchandise and commodities, or the transfer or assignment of any right, title or interest in goods, merchandise and commodities; or, generally, any negotiable instrument commonly referred to as a “securities”, or any certificate of interest or participation certificate, temporary or transitional certificate, receipt, warrant, or right to subscribe for or purchase any of the foregoing.

[0406] In this disclosure, "customer" generally refers to a client, person, entity, payer, payee, beneficiary, user, or principal seeking to execute a transaction with an individual, organization, merchant, and / or financial institution.

[0407] In this document, the term "identity document" generally refers to passports, driver's licenses, voter registration cards, welfare cards, student IDs, Social Security cards, national identity cards, identity cards, proof of legal status, and other official documents, as well as information-bearing instruments that identify a designated individual through certain verifiable characteristics, are issued or authenticated by consulates, embassies, government agencies, public or private organizations, or other government agencies, and are protected by one or more responsible parties against unauthorized copying or alteration. Specifically, such "identity documents" can be formed from a variety of materials, including paper, plastics, polycarbonate, PVC, ABS, PET, Teslin, composite materials, etc., and can embed identity information in various formats, including printed or imprinted on documents (or cards), written on magnetic media, programmed into electronic devices, stored in memory, and combinations thereof. "Identity information" can include, but is not limited to, name, identification number, date of birth, signature, address, password, telephone number, email address, personal identification number, tax identification number, national identification number, country of issue, state of issue, validity period, photograph, fingerprint, iris scan, body description, and other biometric information. The embedded information can be read through optical, acoustic, electronic, magnetic, electromagnetic and other media.

[0408] In this disclosure, “personally identifiable information” generally refers to name, address, date of birth, personal identification number, user ID, password, tax identification number, type of identity document used, identification number associated with the identity document, country, state, government organization and / or private organization that issued the identity document, validity period of the identity document, telephone number, nickname, email address, photograph, fingerprint, iris scan, body description, biometric information and other information that can be used to identify a person.

[0409] In this disclosure, "personal information" includes personally identifiable information, personal relationships, personal status, personal background, personal interests, and personal financial information, including information relating to financial instruments, financial accounts and financial activities, as well as other information relating to a person.

[0410] In this disclosure, "financial instrument" generally refers to a tool used to conduct financial transactions. Examples of financial instruments include: cash, virtual currency, virtual securities, virtual notes, credit cards, debit cards, ATM cards, prepaid cards, stored-value cards, gift cards, checks, monetary instruments, wire transfers, ACH transfers, letters of credit, banknotes, securities, commercial paper, commodities, precious metals, gold, silver, etc.

[0411] In this disclosure, "personal communication device" generally refers to a device interface used for personal communication purposes.

[0412] In this disclosure, "device interface" generally refers to a keyboard, keypad, monitor, display, terminal, computer, control panel, vehicle dashboard, network interface, mechanical interface, video interface, audio interface, electrical interface, electronic interface, magnetic interface, electromagnetic interface including electromagnetic wave interface, optical interface, light interface, acoustic interface, video interface, audio interface, contactless interface, mobile phone interface, smartphone interface, smartbook interface, tablet computer interface, other communication device interface, personal digital assistant (PDA) interface, handheld device interface, portable device interface, wireless interface, wired interface, and other interfaces.

[0413] In this document, the term "terminal" or "kiosk" generally refers to equipment including computers and / or their peripherals, microprocessors and / or their peripherals, ATM terminals, cheque cashing kiosks, money service kiosks, merchant cash registers, cash registers, coin exchange machines, parking payment kiosks, other payment kiosks, contactless devices, landline telephones, mobile phones, smartphones, smartbooks, tablets, personal communication devices, tablet devices, digital assistants, entertainment devices, network interface devices, routers, and / or personal digital assistants (PDAs), etc. These devices interface users with computer networks, enabling users to interact with computer systems and other equipment connected to the computer network.

[0414] Depending on the application, the methodologies described herein can be implemented through various means. For example, these methodologies can be implemented in hardware, firmware, software, or any combination thereof. For hardware implementation, processing can be implemented in one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, other electronic units designed to perform the functions described herein, or combinations thereof.

[0415] For firmware and / or software implementations, these methodologies can be implemented using modules (e.g., procedures, functions, etc.) that perform the functions described herein. Any machine-readable medium that tangibly embodies instructions can be used to implement the methodologies described herein. For example, software code can be stored in memory and executed by a processor. Memory can be implemented within or outside the processor. As used herein, the term "memory" means any type of long-term, short-term, volatile, non-volatile, or other memory, and is not limited to any particular type or quantity of memory, or the type of medium on which memory is stored.

[0416] If implemented in firmware and / or software, functionality can be stored as one or more instructions or codes on a computer-readable medium. Examples include computer-readable media encoding data structures and computer-readable media encoding computer programs. Computer-readable media include physical computer storage media. Storage media can be any available medium accessible to a computer. By way of example and not limitation, such computer-readable media may include RAM, ROM, EEPROM, CD-ROM, DVD or other optical disc storage, disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and is accessible to a computer; discs and platters, as used herein, include compact discs (CDs), laser discs, optical discs, digital versatile discs (DVDs), floppy disks, and Blu-ray discs, wherein discs typically reproduce data magnetically, while platters optically reproduce data using lasers. Combinations of the above should also be included within the scope of computer-readable media.

[0417] In addition to storage on a computer-readable medium, instructions and / or data may be provided as signals included on a transmission medium in the communication apparatus. For example, the communication apparatus may include a transceiver having signals indicating instructions and data. The instructions and data may be configured to cause one or more processors to perform the functions outlined in the claims. The communication apparatus may not store all instructions and / or data on a computer-readable medium.

[0418] Various applications can be formed by combining the aspects described in this disclosure as needed. Those skilled in the art to which this disclosure pertains will understand that modifications and alterations to the described structure can be practiced without intentionally departing from the principles, spirit, and scope of this disclosure. Such modifications and alterations should not be construed as a departure from this disclosure.

Claims

1. A method for detecting money laundering activities, comprising: Monitor data associated with one or more transactions executed by a party; Based on the background information of the aforementioned party and the monitored data, one or more scenarios from multiple scenarios are labeled, and the one or more labeled scenarios are associated with a cause vector; In response to a scenario where one or more markers meet the detection criteria, a first computer system detects a first potential case of money laundering; A first ratio is determined between a first value of the cause vector and a second value of the cause vector, the first value being based on the number of true money laundering cases triggered by the scenarios marked in the cause vector, and the second value being based on the total number of potential money laundering cases triggered by the scenarios marked in the cause vector; The first computer system compares the first ratio with the threshold. When the first ratio is less than the threshold, the first potential case is transmitted from the first computer system to the second computer system for investigation. When the results of the investigation indicate that the first potential case is true, the first computer system adjusts the first value. The second value is adjusted by the first computer system based on the cause vector satisfying the detection criteria; as well as When the first potential case is true, a first report associated with the first potential case is transmitted from the first computer system to the third computer system.

2. The method of claim 1, further comprising: The first computer system detects a second potential money laundering case triggered by the cause vector; The first computer system compares a second ratio of the adjusted first value to the adjusted second value with the threshold. as well as When the second ratio is not less than the threshold, a second report associated with the second potential case is transmitted from the first computer system to the third computer system.

3. The method of claim 2, further comprising: When the second ratio is not less than the threshold, the investigation of the second potential case is bypassed.

4. The method of claim 1, further comprising: To determine the number of money laundering cases that are definitively confirmed within a given time period; and Determine the total number of potential money laundering cases during the stated time period.

5. The method of claim 1, further comprising: The scenario in the multiple scenarios of the cause vector is labeled based on at least one of customer data, transaction data, or a combination of said customer data and said transaction data satisfying a condition.

6. The method as described in claim 5, characterized in that, The customer data is associated with at least one of the following: the customer's industry category, the customer's business type, the customer's geographic region, the country of the customer's address, the nature of the customer's business, the type of the business's products, the type of the business's services, the structure of the business, the customer's occupation, the customer's nationality, historical records, types of transactions, account balance, fund inflows, fund outflows, transaction patterns, transaction quantity, transaction amount, transaction volume, transaction frequency, transaction derivatives, the location of the transaction, the time of the transaction, the country of the transaction, the remitter of the transfer transaction, the location of the remitter, the country of the remitter, the nature of the remitter, the recipient of the transfer transaction, the location of the recipient, the country of the recipient, the nature of the recipient, relationships, social status, political exposure, historical transactions, the number of suspicious activity reports submitted for money laundering and terrorist financing cases, the category of the first financial institution, the business type of the first financial institution, the geographic region of the first financial institution, the country of the first financial institution's headquarters, the nature of the first financial institution, the age of the person, the gender of the person, the income level of the person, the appearance of the person, the judgment of the person, the personal situation of the person, etc. The following information is considered: the employee's family situation, the employee's family members, the situation of the employee's family members, the employee's friends, the situation of the employee's friends, the employee's historical records, the employee's industry category, the employee's geographic region, the country of the employee's address, the employee's occupation, the employee's job type, the employee's education level, the employee's income level, the length of service in the current job, performance appraisal records, work history, the duration of each job in the work history, the reason for termination of each job in the work history, the employee's age, the employee's gender, the employee's personal situation, the employee's family situation, the employee's family members, the situation of the employee's family members, the situation of the employee's friends, the employee's historical records, the type of work performed, the number of transactions performed, the amount of transactions performed, the maximum amount of transactions, the number of transactions with a specific counterparty, the amount of transactions with a specific counterparty, the number of changes in key records, the number of changes in key records associated with a specific counterparty, the geographic region of the employee's home, the geographic region of the employee's office, the country of the employee's address, the results of the client's due diligence, the length of the account history, the number of transactions that match the name of a gambling organization, or a combination of the above.

7. The method as described in claim 5, characterized in that, The transaction data is associated with at least one of the following: cash, checks, wire transfers, ATMs, ACH, virtual currencies, virtual securities, virtual bills, credit cards, debit cards, prepaid cards, electronic funds transfers, wire transfers, financial instruments, letters of credit, banknotes, securities, commercial paper, commodities, precious metals, account opening, account closing, account application, deposits, withdrawals, cancellations, balance checks, inquiries, crediting, debiting, or a combination of the above.

8. The method as described in claim 1, characterized in that, The report includes reports of suspicious activity.

9. The method as described in claim 1, characterized in that, The second computer system includes a device interface residing at the financial institution.

10. The method as described in claim 9, characterized in that, The financial institutions mentioned include at least one of the following: banks, credit unions, money service companies, financial holding companies, insurance companies, insurance agents, mortgage companies, mortgage agents, stock agents, bond agents, commodity agents, trading companies, trading agents, other financial service providers, other financial institutions, stock exchanges, commodity exchanges, currency exchanges, virtual currency companies, virtual currency issuers, virtual currency service providers, virtual currency network providers, virtual currency computer providers, virtual currency dealers, virtual currency exchanges, virtual securities exchanges, bond exchanges, other exchanges, fund managers, investment companies, private equity firms, venture capital firms, virtual currency companies, merchant acquiring institutions, payment processors, payment card issuers, payment card project managers, internet merchants, other organizations related to financial services, or combinations thereof.

11. The method as described in claim 1, characterized in that, The third computer system includes device interfaces residing in government organizations.

12. The method as described in claim 11, characterized in that, The government organization mentioned includes a financial crime enforcement network.

13. The method as described in claim 1, characterized in that, The marked scenario includes at least one scenario.

14. The method as described in claim 1, characterized in that, The testing standards include at least one standard.

15. A method for detecting money laundering activities, comprising: Monitor data associated with one or more transactions executed by a party; Based on the background information of the aforementioned party and the monitored data, one or more scenarios from multiple scenarios are labeled, and the one or more labeled scenarios are associated with a cause vector; In response to a scenario where one or more of the markers meet the detection criteria, a first computer system detects potential money laundering cases; The first computer system calculates the conditional probability value of the potential case based on the cause vector. The calculated conditional probability is based on the ratio of a first value of the cause vector to a second value of the cause vector. The first value is based on the number of true money laundering cases triggered by the marked scenarios in the cause vector, and the second value is based on the total number of potential money laundering cases triggered by the marked scenarios in the cause vector. The first computer system compares the conditional probability value with a threshold. as well as When the conditional probability value is greater than the threshold, a report associated with the potential case is transmitted from the first computer system to the second computer system.

16. A method for detecting money laundering activities, comprising: Monitor data associated with one or more transactions executed by a party; Based on the background information of the aforementioned party and the monitored data, one or more scenarios from multiple scenarios are labeled, and the one or more labeled scenarios are associated with a first cause vector; In response to a scenario where one or more of the markers meet the detection criteria, a first computer system detects potential money laundering cases; The first computer system generates a combined cause vector by combining the first cause vector with a second cause vector of a previous potential case. The calculated conditional probability is based on the ratio of a first value of the combined cause vector to a second value of the combined cause vector, the first value being based on the number of true money laundering cases triggered by the marked scenarios in the combined cause vector, and the second value being based on the total number of potential money laundering cases triggered by the marked scenarios in the combined cause vector. The first computer system calculates the conditional probability value of the case triggered by the combined cause vector; The first computer system compares the conditional probability value with a threshold. as well as When the conditional probability value is greater than the threshold, a report associated with the potential case and the previous potential case is transmitted from the first computer system to the second computer system.

17. A method for detecting money laundering activities, comprising: Monitor data associated with one or more transactions executed by a party; Based on the background information of the aforementioned party and the monitored data, one or more scenarios from multiple scenarios are labeled, and the one or more labeled scenarios are associated with a cause vector; In response to a scenario where one or more of the markers meet the detection criteria, a first computer system detects potential money laundering cases; The first computer system calculates the conditional probability value of a case triggered by a subvector of the cause vector. The calculated conditional probability is based on the ratio of a first value of the subvector to a second value of the subvector. The first value is based on the number of true money laundering cases triggered by the marked scenarios in the subvector, and the second value is based on the total number of potential money laundering cases triggered by the marked scenarios in the subvector. The first computer system compares the conditional probability value with a threshold. as well as When the conditional probability value is greater than the threshold, a report associated with the potential case is transmitted from the first computer system to the second computer system.

18. A method for detecting money laundering activities, comprising: Monitor data associated with one or more transactions executed by a party; Based on the background information of the aforementioned party and the monitored data, one or more scenarios from multiple scenarios are labeled, and the one or more labeled scenarios are associated with a first cause vector; In response to one or more marked scenarios that meet the detection criteria, a first computer system detects potential money laundering cases; The first computer system generates a combined cause vector by combining the first cause vector with a second cause vector from a previous potential case; The first computer system calculates the conditional probability values ​​of the subvectors of the combined cause vector, the calculated conditional probability being based on the ratio of a first value of the subvector to a second value of the subvector, the first value being based on the number of true money laundering cases triggered by the scenarios marked in the subvector, and the second value being based on the total number of potential money laundering cases triggered by the scenarios marked in the subvector. The first computer system compares the conditional probability value with a threshold. as well as When the conditional probability value is greater than the threshold, a report associated with the potential case and the previous potential case is transmitted from the first computer system to the second computer system.