FIELD OF INVENTION

The present disclosure relates to detection of fraud, and, more particularly, to system and method to determine fraudulent activity in financial transactions.

SUMMARY OF THE PRIOR ART

This section is intended only to provide background information pertaining to the similar field of the present invention, and may be used only to enhance the understanding of the present invention and not as admissions of prior art. Since the inception of financial currency for replacing barter system, there have been attempts to mimic said currency, utilise said currency for illegal or unethical means, and even individually collect huge amounts of such currency. With times, institutions and money lenders started noticing behavioural patterns which were a give-away for fraudulent activities, and some of these are still being identified at modern banks by tellers.

With the evolving financial markets, the challenge of financial institutions for monitoring fraudulent transactions is increasing regularly, calling for an increase in the due diligence made for every consumer and each transaction, as well as an appropriate monitoring of financial transactions. Although cashless transactions have been monitored since the evolution of digital currency, it has become overly complex due to the increasing number of financial instruments, transaction channels, higher convergence of global markets, and bigger volume of money flowing through their network.

Generally, financial institutions utilise an enterprise-wide fraud detection solutions for monitoring financial transactions. Such solutions are merely implemented with a pre-determined set of scenarios monitoring fraudulent and anomaly behaviours, that includes, but are not limited to large cash transactions, a high velocity of funds being transferred to and from an account or set of accounts, and a particular structuring of transactions. Such transactions are investigated to ascertain fraudulent behaviour. However, the majority of such transactions are found to be genuine, and classified as false positives, making the fraud detection solution a burden on the financial institutions, to specifically arrange staff for the investigation of the same. The major reason behind the difficulties faced by financial institutions for depicting fraudulent activities, which is the lack of good quality financial data or transaction data that is very much critical to develop a robust machine learning model.

Additionally, quantitative approaches to detecting fraudulent activities is limited to two approaches- the former maximising a recall rate, and eventually, precision rate via the utilisation of data mining techniques, and machine learning techniques, that includes, but are not limited to support vector machines and correlation analysis; and the latter focussing on anomaly or fraud detection through clustering and utilising classification algorithms which provide a mechanism for detecting various kinds of fraudulent activities.

There is, therefore, a need to provide a fraud detection system and method, which fine-tunes scenarios for the enormity and volume of current financial transactions and assists in reducing the rate of false positives.

Moreover, there exists a need to provide a machine learning approach on multi- dimensional data spanning across customers, accounts, transactions, channels, products, counterparties, geography, and time to enhance the capability of the fraud detection system and method.

SUMMARY OF THE INVENTION

In one aspect of the present disclosure, a fraud detection system id disclosed that further includes a processing circuitry that is configured to receive financial transaction data. The fraud detection system further includes a predictive analysis engine that is configured in the processing circuitry to determine current trends of financial transaction data. The system further includes a transaction monitoring engine that is configured in the processing circuitry to monitor fraudulent activities based on the financial transaction data. The system further includes a scenario identification engine that is configured in the processing circuitry to traverse and determine scenarios associated with the financial transaction data such that the scenarios are based on behaviour of users to execute transaction. The system further includes a threshold engine that is configured in the processing circuitry to provide a baseline for consideration of scenarios associated with the scenario identification engine, and the threshold engine is further configured to calibrate the baseline to determine parameters of the baseline, in which the parameters of the baseline are based on recall rate, precision rate, and configured to differentiate fraudulent activities. The threshold engine is further configured to provide a holistic assessment of the baseline for segment of user, counterparty baseline, fraudulent activities by a baseline score. The threshold engine is further configured to supervise the baseline based on transaction behaviour of users through clustering techniques. The threshold engine is further configured to identify behaviours exhibited by users, in which the behaviours are further classified into a suspicious user transaction, non-suspicious customer transaction, and average user transaction. The threshold engine is further configured to detect the fraudulent activities through the clustering techniques and classification techniques such that the fraudulent activities are identified. In some aspects of the present disclosure, the fraud detection system further includes a database that is configured to store the financial transaction data such as user addresses, contact details, bank account numbers, currency values, currency conversion rates, and beneficiary information.

In some aspects of the present disclosure, the database is configured to receive the financial transaction data from the user by way of a central server.

In some aspects of the present disclosure, the financial transaction data includes user details such as contact details, bank account numbers, currency values, currency conversion rates, beneficiary details, or a combination thereof. In some aspects of the present disclosure, the system further includes clustering techniques that are one of a supervised k means clustering, an unsupervised k means clustering, or a combination thereof.

In some aspects of the present disclosure, the transaction monitoring engine is further configured to determine channels, to provide intermediates for transaction such as users, channels, transactions, products, counter parties, geography, and time.

In some aspects of the present disclosure, the scenario identification engine is further configured to identify fraudulent scenarios such as daily cash and credit related scenarios, wire transaction related scenarios, monthly scenarios for aggregated amounts, and cash withdrawal through multiple channels -based scenarios.

In some aspects of the present disclosure, the baseline is derived from average thresholds acknowledged from one or more thresholds derived by the user, such that the parameters of the baseline are determined that are associated with the populations of users by identifying different sub-groups of consumers based on transactional activity and behaviours in a targeted manner.

In some aspects of the present disclosure, the system further includes an output engine that is configured to provide output data to an authorized user. In second aspects of the present disclosure, a method for detecting fraudulent activities is disclosed. The method including steps of receiving financial transaction data from users by a central server; determining the financial transaction data by a processing circuitry; monitoring fraudulent activities based on the financial transaction data by a transaction monitoring engine; identifying and determining scenarios associated with the financial transaction data, such that the scenarios are based on behaviour of users to execute transaction; determining a baseline by a threshold engine for consideration of scenarios associated with the scenario identification engine. The threshold engine is further configured to calibrate the baseline to determine parameters of the baseline, in which the parameters of the baseline are based on recall rate, precision rate, and configured to differentiate fraudulent activities. The threshold engine is further configured to provide a holistic assessment of the baseline for segment of user, counterparty baseline, fraudulent activities by a baseline score. The threshold engine is further configured to supervise the baseline based on transaction behaviour of users through clustering techniques. The threshold engine is further configured to identify behaviours exhibited by users, in which the behaviours are further classified into a suspicious user transaction, non-suspicious customer transaction, and average user transaction. The threshold engine is further configured to detect the fraudulent activities through the clustering techniques and classification techniques such that the fraudulent activities are identified.

In some aspect of the present disclosure, the method further including the database that is further configured to store financial transaction data such as user addresses, contact details, bank account numbers, currency values, currency conversion rates, and beneficiary information.

In some aspect of the present disclosure, the method further including the clustering techniques is one of a supervised k means clustering and unsupervised k means clustering.

In some aspect of the present disclosure, the transaction monitoring engine is further determining channels to provide intermediates for transaction such as users, channels, transactions, products, counter parties, geography, and time.

In some aspect of the present disclosure, the scenario identification engine is configured with the transaction monitoring engine to further identify fraudulent scenarios such as daily cash and credit related scenarios, wire transaction related scenarios, monthly scenarios for aggregated amounts, and cash withdrawal through multiple channels-based scenarios.

In some aspect of the present disclosure, the baseline is further derived from average thresholds acknowledged from one or more thresholds derived by the user, such that the parameters of the baseline are determined. In some aspect of the present disclosure, the output engine is configured to provide output data to the authorized user.

BREIF DESCRIPTION OF THE DRAWINGS

Other objects, features, and advantages of the aspect will be apparent from the following description when read with reference to the accompanying drawings. In the drawings, wherein like reference numerals denote corresponding parts throughout the several views:

FIG. 1 illustrates a block diagram of a system, in accordance with an aspect of the present disclosure; and

FIG. 2 illustrates a flowchart of a method for detecting fraudulent activities, in accordance with an aspect of the present disclosure.

To facilitate understanding, like reference numerals have been used, where possible to designate like elements common to the figures.

DETAILED DESCRIPTION

The aspects herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting aspects that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the aspects herein. The examples used herein are intended merely to facilitate an understanding of ways in which the aspects herein may be practiced and to further enable those of skill in the art to practice the aspects herein. Accordingly, the examples should not be construed as limiting the scope of the aspects herein.

The examples used herein are intended merely to facilitate an understanding of ways in which the aspects herein may be practiced and to further enable those of skill in the art to practice the aspects herein. Accordingly, the examples should not be construed as limiting the scope of the aspects herein. As mentioned, there remains a need to provide a fraud detection system and method, which fine-tunes scenarios for the enormity and volume of current financial transactions and assists in reducing the rate of false positives of activities.

“Financial institution” is defined as any organization in the business of moving, investing, or lending money, dealing in financial instruments, or providing financial services. This includes, but are not limited to commercial banks, thrifts, federal and state savings banks, savings and loan associations, credit unions, investment companies, insurance companies and the like.

The term “customer”, “consumer”, “user”, “enterprises”, and the like are defined as an individual or entity having an account or relationship with entities implementing the risk management system, and/or an individual or entity having an account or relationship with a financial institution or a non-financial institution. As used herein, the user may also refer to an individual or entity that is not authorized to access the system 100 but may include access to authorized credentials.

The term “transaction” may be monetary in nature ( e.g ., a purchase via a credit card; depositing a check in an account, a stock trade or the like) or non-monetary in nature (e.g., a telephone call, an encounter with a financial institution or non-financial institution associate/representative, an identity authentication process, such as a biometric identity authentication process, recorded use of a utility, such as electricity and the like).

FIG. 1 is a block diagram that illustrates a system 100, in accordance with an exemplary aspect of the present disclosure.

The system 100 may include a database 102 and processing circuitry 104. The processing circuitry 104 may include a transaction monitoring engine 106, a scenario identification engine 108, a threshold engine 110, and a predictive analysis engine 112. The system 100 may further include an output engine 114.

The database 102 may be configured to receive and store financial transaction data 116 from a central server 118 by way of a communication network 120. In some aspects of the present disclosure, the financial transaction data 118 may be obtained from a user, a group of users, consumers, entity, enterprises, financial organizations, and the like that may perform any activity based on transactions.

The database 102 may be configured to provide the financial transaction data 116 to the transaction monitoring engine 106 associated with the processing circuitry 104. Examples of the database 102 may include, but are not limited to, a flash storage, a Microsoft Structured Query Language (SQL) Server, an oracle database, a cloud database, and the like. Aspects of the present disclosure are intended to include or otherwise cover any type of the database 102 including known, related art, and/or later developed technologies.

In an aspect, the communication network 120 may include suitable logic, circuitry, and interfaces that may be configured to provide a plurality of network ports and a plurality of communication channels for transmission and reception of data related to operations of various components of the system 100. Each network port may correspond to a virtual address (or a physical machine address) for transmission and reception of the communication data. Lor example, the virtual address may be an Internet Protocol Version 4 (IPV4) (or an IPV6 address) and the physical address may be a Media Access Control (MAC) address. The communication network 106 may be associated with an application layer for implementation of communication protocols. The financial transaction data 116 may be transmitted or received, via the communication protocols. Examples of the communication protocols may include, but are not limited to, Hypertext Transfer Protocol (HTTP), Pile Transfer Protocol (PTP), Simple Mail Transfer Protocol (SMTP), Domain Network System (DNS) protocol, Common Management Interface Protocol (CMIP), Transmission Control Protocol and Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Long Term Evolution (LTE) communication protocols, or any combination thereof.

In one aspect, the financial transaction data 116 may be transmitted or received via at least one communication channel of a plurality of communication channels in the communication network 120. The communication channels may include, but are not limited to, a wireless channel, a wired channel, a combination of wireless and wired channel thereof. The wireless or wired channel may be associated with a data standard which may be defined by one of a Local Area Network (LAN), a Personal Area Network (PAN), a Wireless Local Area Network (WLAN), a Wireless Sensor Network (WSN), Wireless Area Network (WAN), Wireless Wide Area Network (WWAN), a metropolitan area network (MAN), a satellite network, the Internet, a fiber optic network, a coaxial cable network, an infrared (IR) network, a radio frequency (RF) network, and a combination thereof. Aspects of the present disclosure are intended to include or otherwise cover any type of communication channel, including known, related art, and/or later developed technologies.

The processing circuitry 104 may be further configured to organize the financial transaction data 116 in separate groups, arrays, sections, sectors, and the like of the database 102.

The processing circuitry 104 may include a single computer or a network of processing entities (e.g., computers) that may have the ability to receive, process and evaluate the financial transaction data 116. The processing circuitry 104 may have or operate at least a server computer and may be coupled to the database 102 or plurality of databases. The processing circuitry 104 may include a selection of merchant profiles that can be created, modified, and/or deleted. The processing circuitry 104 may further record an audit log of modifications made to customizable settings, and merchant profiles that reside within the system. The processing circuitry 104 may also create reports and statistical analyses of the frequency of the financial transaction data 116.

The central server 118 may receive the financial transaction data 116 from the user. Further, the central server 118 may transmit the financial transaction data 116 to the database 102 by way of the communication network 120.

In one aspect, the “central server 118” may be referred to an external server which is connected to the user via a network, such as via Internet. The central server 118 may also only be accessible to the users of a company, individuals, entities, and the like. The transaction monitoring engine 106 may be configured to monitor transactional activities based on the financial transaction data 116. The transaction monitoring engine 106 may be communicatively coupled to the database 102 and the scenario identification engine 108 that further determines channels to provide intermediates for transaction such as customers, channels, transactions, products, counter parties, geography, and time.

The transaction monitoring engine 106 may be configured to receive financial transaction data 116 and monitor the financial transaction data 116. Specifically, monitoring the financial transaction data 116 may include determining the financial transaction data 116 transfer status, comparing financial transaction data 116 to unwanted noise data, reviewing the financial transaction data 116 for errors, logging financial transaction data 116, balancing aggregate records of financial transaction data 116 with individual financial transaction data 116, aggregating financial transaction data 116, and the like. The scenario identification engine 108 may be configured to traverse and determine scenarios associated with the financial transaction data 116. In an aspect, the scenarios associated with the scenario identification engine 108 may be based on behaviour of consumers to execute transaction. The scenario identification engine 108 may be configured with the transaction monitoring engine 106. The scenario identification engine 108 may further configured to identify fraudulent scenarios such as daily cash and credit related scenarios, wire transaction related scenarios, monthly scenarios for aggregated amounts, and cash withdrawal through multiple channels-based scenarios.

The threshold engine 110 may be configured to determine and provide a baseline 122 for consideration of scenarios associated with the scenario identification engine

108. In some aspects of the present disclosure, the baseline 122 may be associated to, but not limited to, a current volume of total number of alerts, total unique customer for which alerts are generated, total suspicious alerts (i.e., true positives), total unique customer for the suspicious alerts, and the like. It will be apparent to the person of ordinary skill in the art that although it is disclosed that the baseline 122 includes the above-mentioned details. However, the baseline 122 may be associated with other details as well, without deviating from the scope of the present disclosure.

Specifically, the threshold engine 110 may be configured to generate the baseline 122 for each scenario that is deployed. In an aspect, the threshold engine 110 may be further configured to calibrate the baseline 122 to determine parameters of the baseline 122. Further, the threshold engine 110 may be configured to utilize the baseline 122 to fine tune the performance threshold such that number of alerts and STR coverage at individual scenario level as well as overall system level (i.e., cross scenario coverage) is optimized. In one aspect of the present disclosure, the threshold engine 110 may be configured to determine a baseline score 124 for the user. The baseline score 124 may provide a holistic assessment of the user segment’ s/counterparty’s baseline, normal fraudulent activities, for example, how and where, a user, user segment or counterparty normally transacts, channels used, transaction amounts, average deposits maintained, and the like. Once baseline score 124 is determined, the baseline score 124 may be communicated to designated parties. Further, once the baseline score 124 is determined, continuous monitoring of the user’s/user segment’ s/counterparty’s financial transaction data 116 may be provided for determination of deviations from the baseline 122. Deviations from the baseline 122 may be both positive and negative deviations. The negative deviations indicating potentially risk inducing activity and positive deviations indicating potentially risk reducing activities. In another aspect, the baseline score 124 may indicate that the user segment/counterparty exhibits risky activities at the normal level, posing a constant or consistent risk, such as a credit risk, fraud risk, and the like. In such instances, notifications and/or alerts may be communicated to designated parties based on abnormal deviations from the population baseline 122.

In an aspect, the parameters of the baseline 122 may be based on recall rate, precision rate, and the like. In another aspect, the threshold engine 110 may be configured to differentiate fraudulent activities and supervise the baseline 122 based on transaction behaviour of consumers through clustering techniques. The threshold engine 110 may further configured to detect the fraudulent activities through the clustering techniques and classification techniques such that the fraudulent activities are identified. In an aspect, the clustering techniques utilized by the threshold engine 110 may be one of a supervised k means clustering and unsupervised k means clustering, and the like. Aspects of the present disclosure are intended to include and/or otherwise cover any type of the clustering techniques, including known, related, and later developed techniques. In an aspect, threshold engine 110 may be configured to categorize the financial transaction data into groups or categories by utilizing the supervised k means clustering technique and the unsupervised k means clustering technique.

The threshold engine 110 may be further configured to identify behaviours exhibited by the consumers. In an aspect, the behaviours may be classified into one of, a suspicious customer transaction, non-suspicious customer transaction, average customer transaction, and the like. Aspects of the present disclosure are intended to include and/or otherwise cover any type of the behaviours of the consumers that may be required to be identified.

Generally, aspects of the present disclosure maintain a predetermined number or range of transactions in the threshold engine 110, for example, six months of transactions. In an aspect, a long-time user may be categorized as the non- suspicious user if the number of transactions during a period ( e.g ., the last six months) are limited. Similarly, the short-time user may be categorized as the suspicious user if the number of transactions during a period are not limited.

The baseline 122 associated with the threshold engine may be further derived from average thresholds acknowledged from one or more thresholds derived by the user or an enterprise. In an aspect, the baseline 122 may further configured to calibrate for determining the parameters of the baseline 122 such that the parameters are associated with the populations of users by identifying different sub-groups of users based on transactional activity and behaviours in a targeted manner. In another aspect, the processing circuitry 104 further utilizes an optimized baseline 122 that minimizes an overlap of the consumers and thereby maximising rate of capture.

The threshold engine 110 may be further configured with the scenario identification engine 108 to identify the baseline 122 for validation and define eventual productive alert concentration with end-to-end documentation of the parameters before finalizing the calibration.

In an aspect, the threshold engine 110 may further receive the financial transaction data 116 and convert the financial transaction data 116 to the output data 126. In an aspect, the output engine 122 may receive the output data 126 and may further provide the output data 126 to authorized users. The output engine 122 may further include, but are not limited to monitor, screen, touchscreen, multi-touchscreen, and the like. In an aspect, the authorized user may be a user that is authorized by an organization, enterprise, employee, government institute, agencies, and the like to monitor the fraudulent activities.

FIG. 2 is a flowchart that illustrates a method 200 for detecting fraudulent activities, in accordance with an exemplary aspect of the present disclosure.

At step 202, the processing circuitry 104 may be configured to receive financial transaction data 116 from users by way of the central server 118.

At step 204, the financial transaction data 116 may be determined by the processing circuitry 104.

At step 206, transactional activities based on the financial transaction data 116 may be monitored by the transaction monitoring engine 106.

At step 208, scenarios associated with the financial transaction data 116 may be identified and determined. In an aspect, the scenarios are based on behaviour of users to execute transaction.

At step 210, the baseline 122 may be determined by the threshold engine 110 for consideration of scenarios associated with the scenario identification engine 108. In an aspect, the threshold engine 110 may further calibrate the baseline 122 to determine parameters of the baseline 122. In another aspect, the parameters of the baseline 122 are based on recall rate, precision rate, and configured to differentiate fraudulent activities. In another aspect, the threshold engine 122 may further supervise the baseline 122 based on transaction behaviour of consumers through clustering techniques. In another aspect, the threshold engine 110 may further detect the fraudulent activities through the clustering techniques and classification techniques to identify the fraudulent activities. In another aspect, the threshold engine 110 may provide a holistic assessment of the baseline 122 for segment of user, counterparty baseline, fraudulent activities, and the like by the baseline score 124.

As will be readily apparent to those skilled in the art, the present aspects may easily be produced in other specific forms without departing from its essential characteristics. The present aspects are, therefore, to be considered as merely illustrative and not restrictive, the scope being indicated by the claims rather than the foregoing description, and all changes which come within therefore intended to be embraced therein.