This piece was written by Amanah Ramadiah and Riccardo Marcaccioli (Data Scientists at FNA), and Kimmo Soramäki (FNA’s CEO).
When Machine Learning Meets Network Science
Suppose Alice makes a new payment to Bob. A moment later, Alice makes another new payment to Chuck. Can we know if either of the two transactions are suspicious?
The above example using fictional characters commonly used in discussions about security protocols illustrates the challenge of predicting anomalous payments. This task is important, as anomalous payments may be related to cybersecurity breaches, fraud, money laundering, terrorism financing, operational errors, exchange controls, illicit transactions, sanctions, and PEPs. It’s especially relevant now when Covid-19 has increased cyber risks. According to FS-ISAC, cyber attacks against financial institutions have risen from 5,000 per week in February 2020 to more than 200,000 per week in late April. However, already before Covid cyber attacks were on the rise and hackers had started to target the core of the financial infrastructures.
In February 2016, for example, hackers associated with North Korea carried out one of the world’s largest cyber heists in history. The hackers sent almost one billion worth of fraudulent money transfer orders via the SWIFT network from the Bangladesh central bank’s foreign reserve account at the Federal Reserve Bank of New York to fictitious accounts at a branch of Rizal Commercial Banking Corporation in Manila among others. Although parts of the transfers were blocked or have been recovered, over $78 million is still missing. Moreover, in 2018, the Bank of Mexico revealed that Mexico’s financial system was the victim of a cyber attack. Cybercriminals used bogus accounts to transfer $15 million from one bank to another via Mexico’s SPEI electronic payment system. These examples underlined the rising risk of cyber attacks on payment systems and associated infrastructures.
As cyberattacks could have financial stability consequences, it is therefore important for central banks and financial market infrastructures to have an adequate level of cyber resilience. For instance, a recent BIS bulletin (Aldasoro et al., 2021) highlighted that “in some circumstances, cyberattacks could have systemic implications and cause serious economic dislocations”. Moreover, Paul Mee and Til Schuermann in Harvard Business Review (2018) wrote that “The next crisis might not come from a financial shock at all. The more likely culprit: a cyber attack that causes disruptions to financial services capabilities, especially payments systems, around the world”.
At the same time, money laundering is rampant. FNA reviewed 14 recent major money laundering events and found that whistleblowers and investigative journalism are the main reasons for exposing money laundering schemes, while banks are often complacent. Additionally, even though the current anti-money laundering programs at banks are usually expensive, we find that they are mostly compliance-focused, often passive, and thus cannot keep pace with changing or adaptive money laundering networks and schemes. In particular, notorious money laundering events are rarely identified by financial institutions.
A Network-Based Supervised Learning Model
In the following, we will present an anomaly detection solution that is formed on a network-based supervised learning model and particularly suited for interbank payment systems. Generally, an anomaly detection task can be framed as a classification problem, that is: “given some transaction history, is the new payment anomalous?”. However, there are some substantial differences between standard learning algorithms and the model that incorporates network features (see Table 1). For example, the latter is intuitive and does not need training data on anomalous payments. This is particularly important when one does not have any data about anomalous payments in the past, such as in the case of interbank payment systems where one never had any fraud. Moreover, Molloy et al. (2017), who evaluate such models on a large dataset from a European bank, show that the latter can substantially reduce false positives in traditional fraud scoring.
Formally, the approach we take at the FNA merges supervised and unsupervised learning. This is related to the fact that predicting whether new payments are (and are not) anomalous is a very hard problem. First, anomalous payments may follow different rules and criteria. Second, the data on anomalous payments are available in an overwhelmingly small portion compared to data on normal payments. Therefore, rather than identifying the anomalous payments, we instead focus on the payments that should be predicted as normal.
In particular, given the current and past state of the system, we train a classifier to predict if new coming payments are going to appear, such that we can use it to flag any unpredictable payment as anomalous. To put the idea in more rigorous terms, what we are doing is creating a null model of the underlying payment creation process using a supervised learning paradigm. If the model says that a new payment is exceedingly improbable, then we can mark it as anomalous. Of course, doing this would inevitably come along with some false positives. However, if the training was successful, their number will be tremendously lower than any unsupervised approach.
Let us illustrate the simple application of this method using the above example about the payment made between Alice-Bob and Alice-Chuck. Our task is to identify whether any of these new payments are suspicious. To this end, we first construct a network of transactions using the historical payment data. A node in the network corresponds to a sender’s or a receiver’s account, while a link connecting two nodes refers to the volume of the payment.
Figure 1a shows the case of the new payment made between Alice and Bob. As observed in the figure, it turns out that Alice has previously made a payment to Erin, and Erin once made a payment to Bob. This will imply that the graph distance between Alice and Bob is short, and thus the new payment between them will be predicted as normal.
Meanwhile, Figure 1b represents the case of the new payment made between Alice and Chuck. Unlike in the previous case, the graph distance between Alice and Chuck turns out to be longer. The model will predict that the new payment between them is exceedingly improbable, and therefore it will be flagged as anomalous.
Test Case: Data from an RTGS System
We previously showed how a simple network feature can be used to detect anomalous payments. In the following, we will look at the model that incorporates network features into a supervised learning algorithm. We will also discuss how a more complex feature space can improve the model’s performance.
To build the model, we pass the collection of vectors (feature space) to a supervised learning algorithm (Artificial Neural Network) and train it (see Figure 2). The Artificial Neural Network learns to predict whether a link should exist or not, based on other links in the network. In other words, the input of the model is network features of the data, while the output is a probability for each possible link.
There is a wide range of network features that can be considered to perform the classification task. The FNA Platform provides 300+ algorithms for different network types (binary, weighted, directed) designed for such purposes. For example, it includes several distance measures, such as shortest path and random walk. Moreover, the FNA Platform also comprises different centrality (e.g., sinkrank, pagerank, cheirank, betweenness, and closeness), and community detection algorithms (e.g, Louvain, Newman).
Let’s start with a simple feature space that consists of weighted distances between sender and receiver of a payment. To test the model, we use a real dataset from an RTGS system of 100 banks in 385 days of transactions. In the test set, we find the model correctly predicts the existence of links for 85% of the new payments (expected anomaly detection is 15% of the “first payment” relationship). This result indicates that the model’s performance is effective, but it can still be improved.
We then consider a more complex feature space, which consists of the weighted distance between the sender and receiver of the payment, the number of connections of sender/receiver (Degree), and the influence of the sender over the receiver (Leontief Matrix). In the test set, we now observe that the model correctly predicts the existence of links for 94% of the new payments (expected anomaly detection 6% of the “first payment” relationship). This result indicates that taking the more complex feature space into account does improve the effectiveness of the model.
Overall, we find that the network-based supervised learning model is a powerful solution to detect anomalous payments.