2.1 About Behavior Detection
This chapter gives an overview of the Behavior Detection application and discusses the following topics:
- Overview of Behavior Detection
- Data Loading and Processing
- Behavior Detection (BD)
- Post Processing
- Ingesting Trusted Pairs
- Watch List Management
- User Privileges
Overview of Behavior Detection
Oracle Financial Services Behavior Detection application detects potentially problematic behaviors by identifyingpatterns in data and generating alerts. An alert is a unit of work in which a focus appears to have exhibited a behavior of interest, along with the supporting information. A focus represents a business entity or business unit around which activity is reviewed and aggregated. There are many supported types of focus, ranging from Account or Customer to Order, depending on the behavior of interest. Alerts can be generated from a pattern matching specific source events, a sequence of events, trends, conditions, or context. An alert is not necessarily tied to an event, but rather to the behavior of a focus. An alert is a record of one or more pattern matches in a detection run, which is a signal for further investigation.
Data Loading and Processing
TheOracle Financial Services Ingestion Manager receives, transforms, and loads Market data, Business data (such as Transactions), and Reference data (such as Account, Customer, and Employee information) from Common Staging Area or Flat File Interface that alert detection processing requires. The Data Ingestion subsystem transforms Market, Business, and Reference data to create derived attributes that the detection algorithms require (much of the loaded data is as is). The system extracts and transforms data and subsequently loads the data into the Financial Services Data Model (FSDM). After loading the base tables, the Oracle client's job scheduling system invokes Behavior Detection (BD) datamap XML to derive and aggregate data. The Data Ingestion component also uses the Fuzzy Name Matcher Utility to compare names found in the source data with names in the Watch List.
An Oracle client implements the Ingestion Manager by setting up a batch process that conforms to the general flow that this chapter describes. Typically, the system uses a job scheduling tool such as Analytical Application Infrastructure (AAI) Scheduler to control the batch processing of the Ingestion Manager.
Behavior Detection (BD)
Oracle Financial Services Behavior Detection uses sophisticated pattern recognition techniques to identify behaviors of interest, or scenarios, that are indicative of potentially interesting behavior. A pattern is a specific set of detection logic and match generation criteria for a particular type of behavior. These behaviors can take multiple representations in a firm’s data.
The software detects behavior that matches the logic and criteria defined by specific patterns. When one or more data records equal a scenario's pattern of behavior, a match is created. Records that contribute to the exhibition of the behavior are associated to the match as matched records are displayed in the Oracle Financial Services Behavior Detection as building blocks. The entity that is responsible for the behavior of interest is considered the focus of the match. Examples of focus types are account, execution, correspondent bank, and employee.
Oracle Financial Services Behavior Detection generates an alert to package one or more matches for analysis and action. If multiple matches are found that are closely related to the same focus (that is, instances of similar behaviors by the same entity), the matches can be combined to create a single alert, herein referred to as a multi-match alert, to help the analysis of the found behaviors.
Scenarios representing related business problems are grouped into scenario classes. Scenario classes are categories of behaviors or situations that have common underlying characteristics.
Depending on your deployment, one or more of the following solution sets are available: Anti-Money Laundering (AML) Fraud (FR), and Currency Transaction Reporting (CTR).
The Oracle Financial Services Behavior Detection modules are divided into scenarios that typify specific types of business problems or activities of interest. The scenarios within Oracle Financial ServicesBehavior Detection are grouped into scenario classes that represent categories of behaviors or situations that have common underlying characteristics.
Post Processing
During post-processing of detection results, Behavior Detection prepares the detection results for presentation to users depending on the following processes:
- Augmentation:Collects additional information related to the matched behavior and focus for pattern detection, which enables proper display or analysis of the generated matches.
- MatchScoring:Computes a ranking for scenario matches indicating a degree of risk associated with the detected event or behavior.
- Alert Creation: Packages the scenario matches as units of work (alerts), potentially grouping similarmatches together, for disposition by end users. This is applicable when multiple matches with distinct scores are grouped into a single alert.
- AlertScoring:Ranks the alerts (including each match within the alerts) to indicate the degree of risk associated with the detected event or behavior.
- HighlightGeneration:Generates highlights for alerts that appear in the alert list of the Behavior Detection subsystem and stores them in the database.
- Historical Data Copy: Identifies the records against which the current batch's scenario runs generatedalerts and copies them to archive tables. This displays a snapshot of information as of the time the alert behavior was detected.
Ingesting Trusted Pairs
Trusted Pairs can be designated by Oracle clients providing trusted pairs via the Data Interface Specification (DIS) file.
Designating pairs of entities as trusted helps to decrease the number of false positive alerts that are generated when the alerting activity is between entities that an institution considers to have a trusted relationship. During the process of ingesting transactional information (Wires, Checks and Monetary Instruments, Back Office Transactions and Insurance Transactions), the Oracle Financial Services Behavior Detection ingestion process flags a transaction as trusted if at least one party/counterparty pair on the transaction is considered to be a trusted pairs. These transactions can be optionally excluded from detection for many ML, IML, and FR class scenarios (through the use of a threshold parameter),thus reducing the number of false positives where alerts are generated on activity between parties trusted to do business with one another. As the relationship between a pair of entities is marked trusted for some period of time and is excluded from the process of behavior detection, the workload of an analyst can be greatly reduced. If the decision is made to not exclude trusted transactions from detection, alerts involving trusted transactions display information regarding the percent of the alert's transactions that involve trusted pairs versus transactions that do not involve trusted pairs.
Watch List Management
The Watch List Management feature allows watch lists to be added, updated and deactivated. You can also add and deactivate watch list members. A watch list is a list of entries that have known risk characteristics. Watch lists can represent public sources or can be created and managed internally by the institution. Common public sources for watch lists include Office of Foreign Asset Control (OFAC) and Financial Action Task Force (FATF). Watch lists are associated with a score. See Chapter 3,Managing Watch List Management, for more information.
Forwatch lists that can be categorized as risk lists, (lists that contain entries considered to pose a risk to your firm), a risk score is assigned based on increasing risk, usually on a scale of 1 to 10. Watch lists can also be used to designate trusted or exempted entities. Watch lists play an important role in behavior detection for Anti-Money Laundering and Fraud behaviors. See Appendix E, Calculating Risk,for more information.
User Privileges
Oracle Financial Services Behavior Detection allows different types of roles to access the Behavior Detection UI. The various roles are: Alert Viewer, AM Admin, Data Miner, WLM Viewer, WLM Analyst, and WLM Supervisor.
Note:
The Alert Viewer user role is only available in 8.1.1.1.0 and higher.Table -2 User Roles and Privileges
| Privileges | Alert Viewer | Data Miner | AM Administrator | WLM Analyst | WLM Viewer | WLM Supervisor |
|---|---|---|---|---|---|---|
| Access to Search and List page. | Yes | No | No | No | No | No |
| View Entity details. | Yes | No | No | No | No | No |
| Access to Business Tabs. | Yes | No | No | No | No | No |
| Access to BD Administration Tasks. | No | No | Yes | No | No | No |
| For more information about BD Administration tasks, refer to the Administration Guide. | ||||||
| View all pages within the WLM application. | No | No | No | Yes | Yes | Yes |
| Create new watch lists and Watch List Members. | No | No | No | Yes | No | Yes |
| Edit watch lists. | No | No | No | Yes | No | Yes |
| Deactivate watch lists and Watch List Members. | No | No | No | Yes | No | Yes |
| View watch lists and Watch List Members in Pending status. | No | No | No | Yes | Yes | Yes |
| Approve recommended action on watch lists and Watch List Members. Actions taken by WLM Supervisor do not need any approvals. | No | No | No | No | No | Yes |
| Reject recommended action on watch lists and Watch List Members. Actions taken by WLM Supervisor do not need any approvals. | No | No | No | No | No | Yes |