The Evolution of Crime Analytics Leading Practices from Wynyard

Transcription

1 The Evolution of Crime Analytics Leading Practices from Wynyard July 2014

2 About Chartis Chartis is a leading provider of research and analysis covering the global market for risk management technology. Our goal is to support enterprises seeking to optimize business performance through better risk management, corporate governance and compliance. We help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on the broad spectrum of risk and compliance technology offerings. Areas of expertise include: Credit risk Operational risk and governance, risk and compliance (GRC) Market risk Asset and liability management (ALM) and liquidity risk Energy and commodity trading risk Financial crime including trader surveillance, anti-fraud and anti-money laundering Insurance risk Regulatory requirements including Basel 2, Basel 3, Dodd-Frank, EMIR and Solvency II Chartis is solely focused on risk and compliance technology giving it significant advantage over generic market analysts. Chartis has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses. Chartis Research is authorized and regulated in the United Kingdom by the Financial Conduct Authority (FCA) to provide investment advice. Visit for more information. Join our global online community at No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd. The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that Chartis Research delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis. See Chartis Terms of Use on RiskTech100, RiskTech Quadrant and The Risk Enabled Enterprise are Registered Trade Marks of Chartis Research Limited. Unauthorized use of Chartis s name and trademarks is strictly prohibited and subject to legal penalties. 2

3 Table of Contents 1- Introduction to crime analytics Current challenges in crime analytics The evolution of crime analytics Leading practices from Wynyard Future outlook How to use research and services from Chartis Further Reading

4 List of figures and tables Figure 1: Vertical divisions of crime analytics...6 Figure 2: The evolution of crime analytics...10 Figure 3: Entities displayed on heatmap layer Figure 4: Historical geographical analysis...13 Figure 5: Positioning of anomaly detection within crime analytics architecture...14 Figure 6: Example simplified Bayesian net for crime analytics...15 Figure 7: Decision tree example...16 Figure 8: Wynyard solution architecture...17 Figure 9: Wynyard data management...18 Figure 10: Unknown unknown detection...19 Figure 11: Wynyard multi-layered analytics model...20 Figure 12: Link analysis...21 Figure 13: Wynyard case management system...23 Figure 14: Wynyard pre-configured solutions...24 Table 1: The quadrant of risks...9 Table 2: Traditional vs next generation crime analytics

5 1- Introduction to crime analytics The accessibility and availability of electronic communications have greatly increased the potential for crime. Not only is technology more widely available to potential criminals, but also the potential scale of losses to companies has broadened. Crime analytics serves a two-fold purpose to catch more traditional criminals and fraudsters who leave footprints behind them, and to overcome the increasing technological sophistication of criminals. Maintaining a lead in this informational arms race is crucial. Crime analytics is often thought of with respect to cyber criminals: In July 2013, for example, NASDAQ and J C Penney were among the victims of a long term e-fraud described as the biggest in US history 1, accomplished via installation of software on corporate computer systems to create electronic back doors. This resulted in losses of well over $300 million from just three of the dozens of compromised accounts. In addition, the criminals themselves utilized Google alerts for keywords such as data breach and identity theft in an attempt to stay ahead of law enforcement if their exploits were reported, using analytical technologies to gain a potential advantage in the same way that earlier criminals might have listened into a police scanner. Against this backdrop of technological misuse, crime analytics is growing in importance and complexity. However, cyber crime is only a small element of the potential scope of crime analytics. Today, it is being used to combat crimes as diverse as money laundering, bank fraud, international terrorism, drug smuggling, human trafficking, and policing. Crime analytics can be described as the intersection of four related disciplines: 1. Tradecraft skill acquired through experience in the field of espionage from police and intelligence officers; 2. Crime Science evidence-based problem-solving that utilizes empirical research. Adopting the scientific method, crime scientists collect data on crime, generate hypotheses about crime patterns and trends, and build testable models to explain observed findings; 3. Advanced Analytics keeping up with the latest advances in the field, including predictive analysis, assisted intelligence, and text mining; 4. Big Data unstructured and high-volume data is a valuable resource for enabling insight. For example, a big data analysis allowed Microsoft to determine when spikes in testing activity indicated that software pirates were using large numbers of product keys 2. Statistical and analytical techniques are also useful to provide information about the patterns of crime, and to identify correlations in criminal trends. For example, the City of Lancaster in California utilized predictive data models and heat maps to enable a 42% reduction in violent crimes from 2007 to Connecting the dots Analysts and data scientists today are faced with millions of data points when attempting to identify incidences of money laundering, fraud, terrorism and organised crime. These data points are disparate, disconnected and, for each meaningful one, there are many more that are essentially irrelevant. Connecting the dots between these points requires an intelligent approach which surfaces only the key pieces of information from this sea of data. The more exotic the threat, the more data and the more sophisticated the algorithm must be to discover it. To identify criminal activity, an analyst must identify what the terrorist/money launderer/financial criminal looks like as a pattern within that data. Efficient crime analytics solutions will be able to find these patterns and connect the dots at increasing degrees of complexity and within data sets of increasing size and variety. 1 reuters.com

6 Financial vs Non-Financial Crime Crime comes in a countless array of forms, and almost all of these can be countered in one way or another by crime analytics. One previously common way to separate crime was to differentiate between financial and nonfinancial crime (Figure 1). Previously, organizations have utilised different crime analytics tools and techniques to address the two categories. Non-financial crime (normally police and government agencies) solutions tended to prioritize link analysis, and geospatial and temporal analysis. Financial crime solutions focus on capabilities such as transaction monitoring and Know-Your- Customer (KYC) functionality, rules engines and anomaly detection. Figure 1: Vertical divisions of crime analytics Financial crime Organized crime Non-financial crime Anti-money laundering (AML) Drug-smuggling Fraud Anti-terrorism Violent crime Human trafficking Robbery In today s crime environment there is significant overlap between financial and non-financial crime analytics financing is a significant element of almost all major crimes. Therefore all organisations, financial and non-financial, need to adopt a combination of analytical techniques to prepare comprehensively for the threat. Financial organizations are increasingly utilizing techniques that were previously only used by law enforcement, and vice versa for law enforcement agencies taking advantage of the cutting edge capabilities developed by financial institutions. 6

7 2- Current challenges in crime analytics The changing availability of crime analytics Traditionally, crime analytics has not been available to most organizations. There are three reasons for this: 1) Cost small and mid-sized firms could not traditionally afford the expertise and technology of advanced crime analytics, so that it was only accessible to the top tier of finance and government institutions. 2) Usability Analytical technologies have tended to be usable only by power-users those with the necessary technical or mathematical training. 3) Complex IT environments The siloed legacy data systems of most firms have not been suited to managing the variety, volume and velocity of data required by crime analytics solutions. This situation is now changing. Development time and cost have fallen as analytics has become more widespread. In addition, there has been a convergence between governments, financial institutions and nonfinancial institutions in terms of how they use analytics. Following the financial crisis and the war on terror, all three sectors are exploring how they can apply data and analytical capabilities efficiently and effectively to detect and prevent malicious outside influences. Consider the anti-fraud linkage analysis of Know-Your-Customer (KYC), which determines how likely a bank customer is to engage in fraudulent activity. Governmental organizations have applied related algorithms to determine the likelihood of criminal acts based on an individual s connections. Non-financial firms have also contributed to the expansion of analytics technology the development of facial recognition algorithms has been propelled by both governmental organizations for countering crime and anti-terrorism, and by social networks and search engines such as Facebook and Google. As analytics have become more widespread, these technologies are becoming increasingly affordable to smaller organizations, which were previously constrained by smaller IT budgets and limited cash. In addition, the return on investment for smaller firms is made more attractive as their smaller infrastructures are inherently more agile. Smaller institutions are able to modify their business practices and models more quickly, and deploy effective crime analytics with a faster time to market. Aside from the costs of the analytics themselves, firms must acquire the data necessary to be fed into the analytics. Relevant data may be trapped in siloed databases, or may not be owned by the organization open source data (social media, news websites, blogs, message boards, classifieds, etc.) is increasingly viewed as important. As these smaller institutions have limited numbers of IT staff, another key challenge is avoiding a concentration of expertise. If the company has only a single computer or data scientist in the firm with the expertise to use an analytics solution, then bottlenecks can quickly occur. A key challenge is therefore to make advanced analytics usable to those without a mathematics or a computer science degree. Advanced visualization tools are essential in order to make data both understandable and, crucially, actionable by users. For example, smart-phone enabled analytics for police forces enable front-line, real-time access to database and geographical analytics that would previously be performed much more slowly by separate departments. Finally, traditional analytical solutions have been assembled piecemeal, via the assembly of multiple products or the purchase of stacked, enterprise solutions. These tend to be both expensive and unwieldy; yet standalone, purpose built crime analytics solutions are increasingly making their way to market. The challenge is in the development of an affordable, usable and agile solution that still comprises cutting-edge analytics technology. 7

8 Big Data in the modern world The volume, velocity, and variety of Big Data have become a part of almost every area of modern life. Transactional, social, sensory, and geographical information are stored and arranged in any number of ways, including relational and non-relational databases. The amount of data produced in the world has increased exponentially with the information technology revolution, with more than 90% of the world s recorded data created in the past two years 4. The vast majority of information now being generated is unstructured and non-relational, including geo-spatial, audio, and social media data. This contains information and connections that traditional relational databases were not designed to process (for example, text mining data for suspicious words or phrases). And yet, most organizations continue to operate with traditional, relational databases: tabulated, sorted data. These databases were often designed years ago to perform specific tasks, in a low data-volume world. The hidden clues and costs in unstructured data Within an analytics system, the value of a point of information can only be found when it is connected to another point. Therefore, at the same time as relational databases are creaking under the load and struggling to connect across silos, there is a drive towards retaining data and increasing database storage, in case it contains meaning that has not yet been revealed. This leads to increasingly large and complex historical data stores, requiring sophisticated analytical engines to parse them with sufficient speed and accuracy. In addition, there is necessarily a tradeoff between speed and volume when sorting data sets; a firm must make a decision whether to use all its data or a filtered selection, not knowing whether this data may be useful in the future. It is not uncommon to have several types of data available together, such as network data, transactions data, online sessions data, etc., Furthermore, some of these may be augmented with location information, and all of them are time-varying with different rates of change. The challenge is to extract from these diverse data types relevant information pertaining to the application requirements and then combining the various bits of information in a coherent manner. Firms must cope with the costs of managing massively expanding databases while at the same time confronting reduced budgets and the increased costs associated with regulatory due diligence. Essentially, organizations must do more with less. Noise vs Signal and risk discovery As the information that crime analytics must analyze becomes more complicated, it becomes difficult to extract meaningful information, or sort the signal from the noise. A key challenge involves the risk of false positives. A false positive can amount to an accusation of an individual or firm of a crime, which can be highly costly from a financial compensation, customer relations, and reputational perspective. In addition, false positives often require lengthy and expensive investigations; they represent the worst case scenario for an analytical solution as they divert resources away from detection. In order to identify correctly a false positive, an institution needs to carefully analyze both the flagged entity, and also re-assess how exactly the analytics have led to the false positive. It can take hundreds of man-hours for analysts to process exceptions in this manner, yet a sufficiently robust analytical solution can adjust and learn from previously identified false positives, allowing human analysts to focus on those remaining issues that require their input. Moreover, mistaking the noise for signal can also lead to solutions that are incorrectly calibrated. All too often, the initial data retrieved was presumed to be signal, yet turns out to be noise. Accepting noise as signal leads to false hypotheses being formed, and can lead to the creation of multiple further false positives

9 Further potential issues include: Unavailability of data (or missing dots in the metaphor above). This may be because the data is controlled by another group, is not readily accessible, or does not contain the correct information. False correlations between behaviors (for example, an infamous US study that found a connection between ordering pizza with a credit card and terrorism 5 ). The larger the data sets, the more likely it becomes that these coincidental correlations will occur, and the more difficult it becomes to parse them out. Analysis via hindsight is biased towards previous modes of activity changing patterns or approaches will potentially allow the detection mechanisms to be circumvented. It is therefore crucial that analytical methodologies are flexible and adaptive enough to find different variations in patterns of interest. Standard methods will see one pattern as signal and others as noise, but there can potentially be a variety of different types of relationships in a given data set. Even if the signal is found, it may not be the only signal within a data set. Unknown unknowns and observation bias Reports that say that something hasn t happened are always interesting to me, because as we know, there are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don t know. But there are also unknown unknowns there are things we do not know we don t know. Donald Rumsfeld, regarding the lack of evidence linking WMDs to Iraq in The above statement was initially much-maligned, but has since gained traction as a surprisingly concise summation of the problems facing any organization dealing with complex informational problems. In terms of risks, these can be summarized in the table below (Table 1). Table 1: The quadrant of risks Quadrant section What it represents to an organization Potential solution Known Knowns Risks that the organization already knows. Flexible rules and scenario engines can be used, in conjunction with operational risk models, to identify and stop known risks from eventuating. Unknown Knowns Known Unknowns Unknown Unknowns Risks that the organization knows, but does not know it knows. The risks that a company knows it must find within its data. The risks that arise within the data that the organization is unaware of. This is generally an issue caused by lack of communication (i.e. Section A knows of a risk, but does not inform Section B), and can be solved by breaking down organizational or data silos. Traditional search-based analytics that are trained to find the expected risks within data sets. Advanced discovery-based analytics that can unearth risks hidden in the data. Most analytical solutions prioritize the known unknowns the risks of which firms are already aware. This, in itself, causes observation bias the more these risks are observed, the more they appear to represent effectively the risks that are there. The unknown unknowns are the risks that firms are unaware they are facing. These can be the truly dangerous risks for example, the counterparty credit risk that took down Lehman Brothers caught them completely off guard, and the unprecedented and unexpected number of connections between banks dragged much of the financial world down with the firm. In an old boxing axiom, it s the punch you don t see that hurts you

10 3- The evolution of crime analytics Alongside the explosion in information technology, crime analytics has undergone a rapid evolution over the last 30 years (Figure 2). Figure 2: The evolution of crime analytics High data volume, high analytical complexity Assisted intelligence, discovery-based analytics Open-source intelligence, incorporation of external networks Link analysis In-memory analytics, real-time processing Anomaly detection, link analysis Unstructured data processing Simple graph based analysis Data visualization Text mining Manual input Search-based analytics Integrated case management Low data volume, low analytical complexity Paper-based analysis Spreadsheet databases Analysis of relational data Unstructured, cloud computing 1980s 1990s 2000s 2010 onwards Ideally, a crime analytics solution will combine search-based, reactive approaches (allowing analysts to drill down into the data) and a proactive, discovery-based approach allowing for the identification of risks that have not been or cannot be discovered by analysts. Next-generation crime analytics (Table 2) allow institutions to take action and prevent losses before they happen, in particular enabling the firm to: Prioritize risks the ability to accurately predict where crime risks are coming from allows the most dangerous and extensive risk threats, such as credit card fraud or potential terror acts, to be dealt with as soon as possible. Increase efficiency the automation of risk analysis allows for a far greater volume of data to be analyzed by an individual investigator, increasing potential case workload. Automating the process of assigning cases reduces time and reporting on false positives, while processed crime analytics saves on support staff and backlogs. Increase scope a wider array of analysis is enabled, allowing connections that would otherwise be missed to be added to the data. Table 2: Traditional vs next generation crime analytics Traditional crime analytics Simple search Can analyze information which is limited, predictable and easy to scale Fixed Find known risks Analyze individual, isolated data points and one-to-one relationships Next generation crime analytics Complex discovery Can analyze information which is open-ended, unpredictable, and difficult to scale Adaptable Discover new, unknown risks Analyze connected data points, patterns, and many-tomany networks 10

11 A number of these capabilities have been listed below. Data visualization One problem of dealing with large and unwieldy data sets is that they can appear as large and unreadable arrays of figures, making it challenging for anyone without a strong mathematics background to determine exactly when something is going wrong. Data visualization is a particularly powerful tool in this respect. It allows for the presentation of information in an intuitive manner, and enhances the natural human ability to seek out and find patterns (and by extension, anomalies within patterns) in the data being observed. The abstraction of visual data allows the shifting of insight discovery from a handful of specialists to almost everyone. Visualization methodologies (Figure 3) include dashboards, heat maps, and graph analytics. An example heat map is given below this allows an immediate, visual representation of thefts within a geographical area. Figure 3: Entities displayed on heatmap layer 11

12 Data acquisition With the growing volumes of Big Data, solutions should be able to incorporate high quantities of structured and unstructured information, including assessment and audit of the data quality and integrity, such as: Fast, easy to use data ingestion tools Confirmations of the data flows and accuracy Data profiling tools to help obtain an overview of source data, especially meta data Tools to detect duplicate or similar records in source data and optionally merge them Automatic address validation Tests of data cleansing processes Data testing and quantification It is not uncommon to have several types of data available together, such as network data, transactions data, online sessions data, etc., Furthermore, some of these may be augmented with location information, and all of them are time-varying with different rates of change. The challenge is to extract from these diverse data types relevant information pertaining to the application requirements and then combining the various bits of information in a coherent manner. Tools such as efficient text parsing and analytics, taxonomy and metadata management are required for analysis of information flows. Rules engines Activity-scoring tools and statistical analytics provide quantitative insight of possible activity, and provide the necessary operational flexibility to keep up with criminals. Model variances need to be accounted for within the data sets, in particular the differences between operational and developmental models, and how these affect relationships between entities in a data set. The creation and application of rules for basic business activities allows organizations to spot unusual trends, including: What is the volume/profile of alerts that are being generated? Which rules are driving alerts and is the profile consistent across the business? What is the consolidated profile of alerts from all transaction monitoring systems? What is the false positive profile across the business and how effective is information sharing? Which countries, products, services generate which alerts? What is the regional/business unit/seasonal variation? How effective is alert optimization across transaction monitoring systems? Scalable and federated search Scalable searches allow the user to drill down into the data, providing real-time, ad hoc access to analyses. With the need to respond to today s quick-changing markets and fast-acting electronic crime such as credit card fraud, batch processing is insufficient. Next-generation crime analytics solutions will be able to conduct scalable searches through unstructured data sets in near or near-real time. The tuning of searches allows for the optimization of performance for appropriate task management. Federated search is the transformation and broadcasting of a query to a group of disparate resources (such as multiple databases), followed by the presentation and sorting of the unified results set. Link analysis Link analysis allows identification of other entities associated with an entity, as well as practices used by linked entities based on direct or indirect associations within a data set. It is important to have multiple methods of link analysis available, so that potential connections between entities do not fall between the cracks of a single approach. 12

13 Geospatial analysis Geospatial techniques have been used in crime analysis since André-Michel Guerry and Adolphe Quetelet created a map visualizing crime property data in France in 1829 (Figure 4). Modern geospatial information comes in a variety of data forms, including server locations, GPS information, and map imagery. Figure 4: Historical geographical analysis Effective geospatial analysis is highly prized as it is regarded as a source of truth. At the fundamental level, a geospatial reference cannot be duplicated an individual cannot be in two places at once. For example, within policing systems, specific geographic profiling systems such as journey-to-crime analysis can estimate the probable residences for serial offenders and potential targets within the reach of a criminal and create a node of activity. 13

14 Temporal analysis The temporal (time related) nature of crime, disorder and other police-related issues is a major component of crime analysis. Crime analysts conduct several levels of temporal analysis, including the examination of long-term crime trends, and the natural variations by season, and time of week or day. For example, seasonal weather patterns have been seen to have strong effects on crimes such as auto thefts, and high temperatures have been seen to induce feelings of anger and frustration. In addition, the interventions enabled by crime analytics themselves have often been time-sensitive in nature: for example, a study indicated that when police were patrolling, their optimal time for remaining in a single area to discourage crime and maximize their effective presence was around 10 minutes 7. Pattern analysis /Anomaly detection Crime analytics solutions detect anomalies within a given data set that stand out as suspicious. Once these suspicious entities are identified, they are either automatically dealt with, or potentially escalated to a human operator. An example crime analytics architecture is illustrated below (Figure 5). Figure 5: Positioning of anomaly detection within crime analytics architecture User Input platform (mobile, bank teller, internet, etc.) Data management and mapping Behavioral model Anomaly detection Expected behavior Organization Block/ flag Reject Unexpected behavior Escalate Automated response system Validate Confirm Reject Human interaction Validate 7 Koper, C. (1995). Just enough police presence: Reducing crime and disorderly behavior by optimizing patrol time in crime hotspots. Justice Quarterly, 12(4):

15 In the example of financial crime, customer activity can be compared with peer group behavior, and with past behavior to identify outlying transactions, including: What are the characteristics of the good alerts raised, and can more of these be found in the data? What are the characteristics of the bad alerts raised, and can these be removed? Which customers/groups of customers generate which alerts? Can customers be segmented into optimal classification groups based on activity? Assisted Intelligence Sophisticated crime analytics allow systems to learn from their mistakes (for example, when a false positive is rejected by investigators), allowing for quick eliminations of false positives and negative rates. These capabilities are often referred to as artificial intelligence but are more appropriately assisted intelligence, as they will always require the input of a human analyst. For example, if there is a fraud system that has a rule-based system, which determines that only transactions over $1000 should cause alerts, then the criminals may react by transacting just below $1000. An AI system will learn the risks related to relationships among data element values in order to come up with risk scores, rather than using the hard thresholds that could be evaded in this manner. Assisted Intelligence encompasses two related approaches to adapt to the known unknowns of risks in crime analytics: Machine learning: Focuses on prediction, based on known properties from the data Data mining: Focuses on the discovery of previously unknown properties in the data The most advanced, discovery-based systems will therefore have a particular focus on data-mining functionality, to provide insight into the unknown unknowns in the data. These include neural networks, genetic algorithms and multivariate adaptive regression. Other advanced analytics capabilities are listed below. Bayesian nets (data mining) A Bayesian network (Figure 6) utilizes a probabilistic graphical model that establishes conditional dependencies between random variables. This allows for the inference of unobserved variables, the computation of parameters, and structural learning the definition of networks as learned from data. Figure 6: Example simplified Bayesian net for crime analytics Time Location Type of crime Specific crime 15

16 Gradient boosting (machine learning) Gradient boosting is a fitting method to minimize general types of risk functions with respect to a prediction function. It resamples analysis data several times in order to generate results that form a weighted average of a resampled data set. It makes no assumptions about distribution of data, and is less prone to overfitting data than single decision trees. Decision trees (machine learning) Decision trees are produced by algorithms that split data sets into branch-like segments (Figure 7). This forms an inverted tree with a root node at the top. They have the advantage of being unaffected by non-linear relationships between variables and, unlike most machine-learning tools, the analytics behind them are visually comprehensible and easily back-tested. Figure 7: Decision tree example Root node Partition variable A Partition variable B Node 1 Node 2 Node 3 Enterprise case management Perhaps the most important element of crime analytics is creating actionable insight. Enterprise case management systems take the actionable insight and streamline the investigation process, providing audit trails and visualizations for viewing networks of individuals, and form the basis of: Workflow development Tasking and activity management Data security and mitigation of privacy risks by applying rigorous data access controls Managing the disclosure and dissemination of information Digital and physical evidence management Templates to support the entry of case information Managing data retention requirements The unification of information from disparate departments at an enterprise level, with on-demand access to meaningful information Reduction in implementation and maintenance costs by consolidation of resources The integration of existing and third-party systems for both input and output with the crime analytics solution Case management also allows for the effective triage of a threat or case, using only the data that is immediately relevant, and prioritizing individual cases based on severity, while retaining the scope of information and drilldown capabilities. 16

17 4- Leading practices from Wynyard Wynyard Group is a software vendor that provides critical threat assessment and advanced crime analytics software for government, financial services and critical national infrastructure. The company has offices in the United Kingdom, United States, Canada, United Arab Emirates, Australia, and New Zealand, and over 400 customers in more than 80 countries. Recent clients include HML, a leading mortgage and loan provider in the UK for anti-money laundering and financial crime management, and the New Zealand Police. Chartis considers Wynyard to be a leader in the field of crime analytics. The differentiators for Wynyard s solution are considered to be: An out-of-the-box crime analytics solution that provides a number of next-generation features within one offering. Solution architecture designed for rapid deployment and low cost of ownership. A focus on usability, designed for both advanced quantitative analysts, as well as business users and operational personnel. Integrated case management closing the loop from identification to investigation. Strong domain knowledge and expertise, as enabled by the Wynyard Crime Science Research Institute program, and a focus entirely on crime, risk and threat analytics. Overall architecture The solution (Figure 8) combines an operational data store and a document index that enables the retrieval and analysis of entities, relationships and related metadata, including unstructured data analysis from documents, database fields, s and text messages. Figure 8: Wynyard solution architecture INCIDENT ANALYSIS & RISK MODELLING RISK ASSESSMENT & REPORTING INCIDENT MANAGEMENT INVESTIGATIONS CASE MANAGEMENT AUDIT CORE APPS Machine learning Heat maps Case & evidence mgmt Forms ANALYTICS Pattern matching Text mining DASHBOARDS Event specific Maps & charts INVESTIGATIONS Audit trail Case visualization METHODS Surveys Workflows Network analysis ODBC source Search Rules & alerts DATA MANAGEMENT SERVICES WYNYARD XEREM TM (common meta model) Client data extensions WYNYARD core domain models (risk, fraud prevention, mobile, I/P) Corporate Legacy Feeds - Incident logs - Feeds from data warehouse - Financial ledger entries - Impact reports Corporate reference data feeds - HR Systems - SAP, Oracle, Peoplesoft - Legacy risk registers & spreadsheets - Reporting entities (Key stakeholder lists, LDAP) - Document management systems 17

18 Data input/output The data is processed from one of more XEREM stores. XEREM (extensible Entity Relationship Events Model) is a canonical representation invented by Wynyard and used to create data models for all the user information ACA ingests and processes. It is directly represented in collections of multiple nodes connected via multidirectional edges. Both nodes and edges can be decorated with attributes, and organized in hierarchies. The computational engines that carry out the required data manipulation and calculations are implemented on a distributed processing platform and are written in a combination of data science languages and standard/efficient computer languages. Data sources for the solution (Figure 9) can be structured (financial transactions, phone records), semi structured ( s or web artefacts) or unstructured (text documents). Data export is supported via XML and web services, and export functions can be integrated with third party systems. Figure 9: Wynyard data Source data (structured or unstructured) Pre-load transformation Data loaded and post load enrichment (including text cleansing, entity identification, classification and extraction) 18

19 Analytics The analytics are focused around the quick identification of anomalous behaviors. In addition to AML, alerts and reporting, the analytics capabilities of the solution also utilize visualization and advanced analytics capabilities to detect the unknown unknowns within the data (Figure 10). Figure 10: Unknown unknown detection Text Mining Text mining utilizes multiple entity extraction engines based on techniques such as conditional random fields, together with machine learning mechanisms to improve their accuracy for a specific domain. This is complemented by gazette lists/taxonomies and regular expressions. These approaches are applied to cause extraction of entities. Each extraction engine assigns an entity a type (person, location, organization, etc.) together with a degree of certainty for such assignment. In addition, automatic relationships are created among entities according to their co-occurrence in all the different documents loaded. Advanced Analytics Wynyard Advanced Crime Analytics (ACA) uses a hybrid multi-layered analytics model (Figure 11) in order to handle application requirements and data types. The model is implemented by a reconfigurable analytics platform around a core of models and techniques. This can be selected and matched to specific requirements and data types by means of software layers known as configurators. 19

20 Figure 11: Wynyard multi-layered analytics model Reconfiguration is facilitated by abstracting requirements into exploitation tasks and thereafter into inference tasks. Configurators play a key role in matching requirements to exploitation tasks, exploitation tasks to inference tasks, and inference tasks to models and techniques, taking into account the nature of the data at every step along the way. The configurators also serve to interface the analytics platform with the data models in XEREM, as well as interfacing with the compute engine, visualizations and user interface. Applications of Advanced Analytics require a number of exploitation tasks like anomaly detection, event prediction and group discovery. The computational intelligence models utilize probabilistic models for partially observed or uncertain data, and Bayesian statistics for adjustment of model parameters or incrementally acquired data. Inference tasks are highly probabilistic in nature and utilize graphical representations and formulations as well as the use of graph theory for the actual computations. In particular ACA uses probabilistic graphical models including belief networks, Markov Hidden models and latent factor analysis complemented by other techniques like spectral analysis, selfexciting point processes, and regression models. 20

21 Link Analysis, Social Network Analysis, or Network Analysis Wynyard s ACA automatically creates link analysis (Figure 12), which focuses on analysis of relationships among nodes through visualization methods such as network charts and association matrices. Figure 12: Link analysis Anomaly detection Anomaly detection within the Wynyard solution has two sections: 1. Anomaly detection in Social Networks: The analysis of the frequency of data generated through the social interaction of persons (ie. Phone, ) in order in order to identify anomalous periods. This utilizes a Bayesian statistical inference model to identify unusual patterns in activities resulting from the interaction of social actors. The interactions could be at the individual actor, pairs of actors, of networks of selected actors. The model assigns anomaly scores to every period. 2. Anomaly detection in events: This capability conducts the analysis of several features in data in order to identify specific anomalous events. It is based on the behavioural patterns of sequences of events. A number of features are selected to be the input to the model. Those visible features are reduced to a set of latent features that are further analysed in terms of probability distributions and time series. Applications include fraud detection in financial transactions, and suspicious movements of people. 21

22 Federated search The federated search capability of the solution enables the searching of multiple disparate data sources via a single search query. The search is performed against either all data sets, or specified subsets, including external data feeds. The focus is on the data federation of internal systems, and external systems where close ties exist between the system owners (e.g. cross-jurisdictional data sharing by law enforcement agencies). It utilizes multiple data sources to maintain a master schema of the common data that will be available for searches. The common data is replicated from the source systems and transformed into the common schema. The system can also enrich the master schema with additional data to support specialized searches (e.g. soundex keys, entity links, etc). This enables query algorithms to be run without relying on the source systems to execute the queries. The system regularly monitors the data sources to keep the master schema in synch. Open-source intelligence The solution includes social media and open source intelligence (OSINT) integration as a data source, including a built in data loader for social media feeds. Social media can be used for network analysis and intelligence gathering, and the open source data can be mapped, loaded and searched via the federated search functionality. Visualization Data including alerts generated by the solution s rules engine is visualized using context-aware visualizations, identifying entities and events of interest. The views are customized to display whichever information is available, supporting the selection of relevant data sets available, including: Geographic Information System (GIS) overlays, Tabular formats Heat map presentations Temporal analysis, including timeline visualizations , call network and website navigation thread diagrams Spatial analysis, including visualizing entities on a map Topic mappings to identify key themes across a range of documents Volume analysis to highlight the amount of incoming and outgoing activity for entities such as addresses, phone numbers, web sites and financial accounts Geo-spatial analysis The solution enables the display of geographical data for collections of entities, allowing the identification of common points of risk and suspicious activity, and radius-based query functionality the capacity to bring up information on all entities within a particular distance of a geographical point (for example, domiciles of suspicious persons within a certain distance of a burglary scene). 22

23 Enterprise case management The solution includes a centralized system for case management requirements (Figure 13), supporting data sharing across units and teams within an organization. This includes: Tasking and alerts Notifications, including triggers and reminders Categorizations of entity types Document versioning Creation of tasks Data template inputs Figure 13: Wynyard case management system Incident report Case Information report Tasks Tasks Case notes Tasks Entities Entities Entities Entities Entities Entities SECURITY 23

24 Bespoke models The Wynyard solution has a selection of pre-configured solutions built around crime analytics verticals, including digital forensics, fraud, and criminal intelligence (see Figure 14 below). Figure 14: Wynyard pre-configured solutions Threat assessment Risk analytics Threat assessment Information security Anti-bribery Compliance Advanced crime analytics Criminal intelligence AML Person of interest Fraud Serious crime investigations Open-source intelligence Digital forensics Mobile device analytics Gun crime analytics Signals analytics KYC/customer screening Social network analysis Relationship with Jill Dando Institute at University College London Wynyard has entered into a partnership with the Jill Dando Institute of Security and Crime Science (JDI) at UCL (University College London). This is the first Institute in the world devoted to pursuing new scientific approaches to tackling crime, in part through partnerships with academia, industry, commerce and government organizations. Wynyard Group is the first company outside of the UK to work with the Institute to help it research and develop solutions in common areas of interest including predictive analytics in the field of crime science. JDI Director, Professor Richard Wortley, described the partnership with Wynyard as part of a multi-disciplinary initiative that aims to contribute significantly to finding new ways to cut crime and increase security. Wynyard s Crime Science Research Institute programs include: Applied crime science research. Public-private sector crime science research. Crime prevention tools prototyping. Sponsorship of relevant Masters and PhD s. Gifting of Wynyard s advanced crime analytics software to institutions. Internships. 24

25 5- Future outlook Innovation in the marketplace from the most complex governmental and financial institutions will become ever more available. There will continue to be significant crossover between financial and nonfinancial crime analytics solutions. Firms are moving towards outsourced and software as a service (SaaS) solutions, particularly for largescale crime analytics. The processing and database structures required for discovery-based analytics that can find the unknown unknowns cannot be implemented in a cost-efficient manner for most firms with legacy relational databases. Vendor solutions provide lower cost and more specialized solutions that can be laid over current database systems. Discovery-based solutions will remain in-house and will increasingly employ machine-learning, assisted intelligence solutions. In a survey from Chartis 8, 83% of surveyed firms indicated that they would be implementing AI at some point in the future. Assisted intelligence solutions and the use of visualization techniques will make discovery-based solutions available to a wider array of users, but will still require search-based solutions in order to drill down into data. AI analytics often cannot be reverse-engineered and represent black boxes. This means that traditional search-based analytics and human input will remain essential. The lines between crime analytics, social media and sentiment analysis will blur as further analytics are employed in the field of reputational risk management, which Chartis predicts will eventually overtake the current compliance-focused business case. Crime analytics will involve sharing of data across borders, regionally, internationally and between the financial and non-financial areas of crime analytics, and incorporating open source data. 8 The Evolution of Risk Technology, Chartis,

26 6- How to use research and services from Chartis In addition to our flagship industry reports, Chartis also offers customized information and consulting services. Our in-depth knowledge of the risk technology market and best-practice allows us to provide high quality and cost-effective advice to our clients. If you found this report informative and useful, you may be interested in the following services from Chartis. For risk technology buyers If you are purchasing risk management software, Chartis s vendor selection service is designed to help you find the most appropriate risk technology solution for your needs. We monitor the market to identify the strengths and weaknesses of the different risk technology solutions, and track the post-sales performance of companies selling and implementing these systems. Our market intelligence includes key decision criteria such as TCO (total cost of ownership) comparisons and customer satisfaction ratings. Our research and advisory services cover a range of risk and compliance management topics such as credit risk, market risk, operational risk, GRC, financial crime, liquidity risk, asset and liability management, collateral management, regulatory compliance, risk data aggregation, risk analytics and risk BI. Our vendor selection services include: Buy vs. Build decision support Business and functional requirements gathering Identification of suitable risk and compliance implementation partners Review of vendor proposals Assessment of vendor presentations and demonstrations Definition and execution of Proof-of-Concept (PoC) projects Due diligence activities For risk technology vendors Strategy Chartis can provide specific strategy advice for risk technology vendors and innovators, with a special focus on growth strategy, product direction, go-to-market plans, and more. Some of our specific offerings include: Market analysis, including market segmentation, market demands, buyer needs, and competitive forces Strategy sessions focused on aligning product and company direction based upon analyst data, research, and market intelligence Advice on go-to-market positioning, messaging, and lead generation Advice on pricing strategy, alliance strategy, and licensing/pricing models Thought Leadership Risk technology vendors can also engage Chartis to provide thought leadership on industry trends in the form of in-person speeches and webinars, as well as custom research and thought-leadership reports. Target audiences and objectives range from internal teams to customer and user conferences. Some recent examples include: Participation on a Panel of Experts at a global user conference for a leading ERM (Enterprise Risk Management) software vendor. Custom research and thought-leadership paper on Basel 3 and implications for risk technology Webinar on Financial Crime Risk Management Internal education of sales team on key regulatory and business trends and engaging C-level decision makers 26