The present invention relates to the field of countering money laundering, and more specifically to the detection of money laundering by structuring of transactions and aggregation of money sums by wire transfer.
Money laundering represents a large and increasingly difficult to control problem within the finances of most nations today, and the trend appears to be for the scale of the problem to increase. One of the techniques commonly used in money laundering is to avoid the restrictions on cash transactions that require banks to report large cash deposits or movements by breaking the large cash amounts down into smaller amounts and depositing these smaller amounts in numerous accounts, later transferring the sums by wire transfers in order to aggregate the funds at a remote account. This is known as “structuring of transactions”.
In most countries having a sophisticated legal control structure in the financial arena, banks and other financial institutions have a duty to diligently attempt to detect indications of money laundering activity, such as structuring of transactions, and reporting them. However, they cannot accept an outside agency, such as another bank, or a government agency, having access to customer data because of their duty of confidentiality. Thus, when small (below the reporting limits—in the USA, $10,000) cash amounts are progressively aggregated by a number of wire transfers using a number of banks, each bank can only see the data that is in its own system. The overall pattern is not visible.
At the initial stage, any attempt to pattern match is rather inaccurate, giving too many false positives (mischaracterizations of activity as illicit when it is not) to be reliable—there may be a perfectly legitimate need for a small business to deposit amounts that approach, but never exceed, the reporting limit as a matter of course—a business might be stable and based on repeat business in which amounts between $8,500 and $9,500 are taken each week—the company might simply be taking rent for long-term lets of low-rental properties, and so the amounts may naturally vary little and be small. The real grounds for suspicion may only appear when several such small companies start to forward amounts into a single account (aggregation), and this might be by wire transfer to an account at a different bank. The first bank cannot see that aggregation taking place, as there will be confidentiality restrictions in place.
Present methods of detecting money-laundering activities rely largely on watch-lists of suspect individuals and nationalities, “know-your-customer” policies, and expensive large-scale data-mining in transaction record databases. This last gives only historical data, and may be too late to catch an ongoing activity, although it my yield evidence against an individual or organization.
A 1995 US government-commissioned study (U.S. Congress, Office of Technology Assessment, Information Technologies for Control of Money Laundering, OTA-ITC-630 (Washington, D.C.: U.S. Government Printing Office, September 1995) came to the conclusion that artificial intelligence (AI) could not be used to solve the problem of structured transaction detection because (a) it produced too many false positives, and (b) banks would not accept the potential exposure of customer data to other banks that would come about if AI methods were used on a supra-bank level high enough to reduce false positives sufficiently. The study also concluded that the burden of extra processing associated with known AI methods would be too great for the banks.
The applicant thus believes that it is desirable to have a method of detecting the structuring of transactions in a way that alleviates the above-referenced problems.
The present invention accordingly provides, in a first aspect, a method of detecting structuring of financial transactions, comprising: instantiating a first agent that is autonomous, intelligent, and mobile; attaching said first agent to an onward transfer transaction; gathering, by said first agent, patterns of financial account transfer activity at a recipient account wherein identities of parties to said financial account transfer activity remain anonymous to said first agent; and detecting, by said first agent, a pattern of aggregation among said patterns of financial account transfer activity.
Preferably, said step of instantiating comprises instantiating in response to an indication that a cash deposit has passed a threshold test for suspicion.
Preferably, said step of detecting a pattern of aggregation comprises identifying a plurality of inward transfers of amounts originally deposited as cash deposits each less than a legal reporting requirement amount.
The method preferably further comprises the step of transmitting said first agent from a first computer system to a second computer system.
The method preferably further comprises the step of interrogating by said first agent a second agent to determine if two or more patterns of aggregation relate to a single receiving account.
The method preferably further comprises the step of cloning, by said first agent, to produce a second agent.
Preferably, said first and said second agents are aglets.
The method preferably further comprises the step of examining, by an agent, a watch list.
The method preferably further comprises the step of transmitting said second agent with stop orders for stopping an onward transfer transaction.
Preferably, said first agent acts within an environment that prevents said first agent from modifying system resources.
Preferably, said second agent acts within an environment that prevents said second agent from modifying system resources.
The method preferably further comprises the step of storing details of said pattern of aggregation and an account association therewith in a secure data container.
The method preferably further comprises the step of alerting a financial institution at which said step of detecting has been performed that said step of detecting has been performed.
In a second aspect, the present invention provides a computer program code element to, when loaded into a computer system and executed, perform the method of the first aspect.
features of the second aspect comprise program code elements corresponding to the method of the first aspect.
The invention advantageously provides a method for detecting transaction patterns that may be related to money laundering, even across numerous communicating bank systems, without allowing outside access to a bank's customer records until probable cause has been established and a subpoena or search warrant has been issued.
Further advantageously, the detecting program components can be small, agile pieces of code capable of pattern matching activity by detecting patterns in real time and within a local scope, rather than large AI programs that are pattern seeking over entire large databases.
As pointed out in the Government study, normal AI approaches produced too many false positives, and also banks would not accept the potential exposure of customer data to other banks that would come about if AI methods were used on a supra-bank level high enough to reduce false positives sufficiently.
One embodiments of the present invention advantageously address both of these problems by seeking more than only a small segment of a pattern of activity across a plurality of bank wire transfer interfaces that might be suspicious, thus having a wider view than any single bank can have. In this manner, the advantageous ability to reduce the number of false positives as the pattern progresses is provided—program components that find no evidence of suspect aggregation patterns after they have been sent a certain number of stages along a path of transfers can be programmed to simply deinstantiate themselves and delete any record of their existence from the secure environment. Because any extracted information that contains any customer data is preferably maintained inside a secure data container, no bank is able to see the data taken from another bank's records, and the information is only available to a law enforcement agency after finding probable cause and the issuing of a search warrant or subpoena.
One embodiment of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
In one embodiment of the present invention, an autonomous, intelligent, mobile software agent is used to detect patterns that may indicate structuring of transactions.
The one embodiment of the present invention uses autonomous, intelligent, mobile agents called “aglets” to trail transactions that have been “tagged” as stemming from possibly suspect starting points. Aglets are already well-known in the art, having been invented by researchers at the IBM Tokyo Research Laboratory, but a few notes on them and on their use will be found helpful, and will be included in the detailed description of the one embodiment of the present invention. The Aglet Software Developer's Kit (ASDK) is provided freely under an Open Source license and is available for download from the World Wide Web by software developers interested in using it. In brief, aglets are agent objects with defined sets of methods that enable them to behave in an autonomous fashion, in instantiating themselves in response to a particular “stimulus”, and then in serializing their program code and data in order to autonomously send themselves to remote systems. They are further capable of cloning themselves for various purposes, one of which is so that they can forward copies of themselves to remote systems.
To preserve the security and integrity of the systems on which aglets execute, they are capable of instantiating themselves only within a sealed-off aglet context, similar to the Java Virtual Machine “sandbox” which enables Java applets to operate within user's systems without having the ability to interact to the detriment of the “host” system. Similar security and integrity protection is provided in aglet contexts, thus preserving, in the one embodiment of the present invention, the confidentiality, security and integrity requirements of the banks in whose systems they will be executing.
In one embodiment, a pattern matching “sniffer” aglet is initiated at a first bank (financial institution) to examine cash transactions for patterns that might indicate that structuring of transactions is taking place. Alternatively, another pattern-matching application may perform the first pass, to save space in the aglet—in that case, the other pattern-matching application starts the smaller sniffer aglet. At this stage, the pattern match is rather inaccurate, giving too many false positives to be reliable—there may be a perfectly legitimate need for a small business to deposit amounts that approach, but never exceed, the reporting limit as a matter of course—a business might be stable and based on repeat business in which amounts between $8,500 and $9,500 are taken each week—the company might simply be taking rent for long-term lets of low-cost properties, and so the amounts may naturally vary little and be small. The real grounds for suspicion may only appear when several such small companies start to forward amounts into a single account (aggregation), and this might be by wire transfer to an account at a different bank (second financial institution). The first bank cannot see that aggregation taking place, as there will be confidentiality restrictions in place.
In one embodiment of present invention, the pattern matching aglet (a “sandboxed”, autonomous, intelligent mobile agent) transmits itself, with the wire transfer, from the first bank's system to the second and subsequent banks in the chain, holding a secure data container (possibly an IBM Cryptolope data container) with details of the original pattern, and seeking aggregation patterns associated with the second and subsequent transfers. As soon as it finds such a pattern of aggregation, it alerts the bank officials, who can then, if necessary, run their own automated and manual checks; the aglet also seeks other sniffer aglets in the same aglet environment and interrogates them as to the existence of any convergent tree structures. Any sniffer aglets that find such converging structures may then register with the bank officials the fact that they have found a tree structure of aggregation that joins the transactions they have been “tailing” at an aggregation node. The alerted bank can then follow its statutory reporting rules to inform the appropriate law enforcement organization that it suspects a money-laundering pattern and that it is holding an encrypted record of the transactions involved under the seal of the secure data container. The law enforcement agency then has “probable cause” and can obtain a subpoena to open the container to obtain the evidence. Meanwhile, if any onward transfers from a suspect account have taken place, the aglet or aglets may clone themselves and continue in pursuit, alerting subsequent banks to enable them to detect further activity and to report it. If the alert has reached the law enforcement agency, and they have confirmed the pattern match by examining the contents of the secure data container, the sniffer aglet at the bank that holds the secure data container may be cloned under control of the law enforcement agency and may be sent to trail its “sent ahead” clone, or clones, with powers to issue instructions to stop further transactions under penalty of law, and to report back, with a log of the or each journey, so that the onward trail may be used by the agency. At any point of divergence, the sniffer aglet that has been sent onward can clone itself to follow more than one path, leaving a “forwarding address” inside the secure aglet environment, so that it can be followed.
Referring now to
Transfer transaction TXN A (106) causes the associated Aglet A (108) to follow it by serializing itself in a conventional manner, transmitting itself to the destination system of TXN A (106). Thus Aglet A (108) moves from aglet context A (104) in first computer system (100) into aglet context B (114) in second computer system (122) and reinstantiates itself. Systems 100 and 122 may be within a single institution's computer system infrastructure, or may be in separate institutions connected by a financial clearing network, or by some more general network, of which one example is the Internet.
Aglet A (108) is equipped to check activity patterns within account A/C 2 (110) in an attempt to either confirm a positive match with a suspect pattern, or to eliminate suspicion. If it eliminates suspicion, it simply clears away all its data and destroys itself. Aglet A (108) can also communicate with any other aglets within aglet contexts (104, 108). Here, Aglet A (108) communicates with Aglet B (118). Aglets, such as (108, 118) can also use watch list (120) as part of the process of confirming or eliminating suspicion.
Turning now to
In
The aglet and the infrastructure in which it “lives” in each system may need to form part of a trust structure, to permit aglets to pass from system to system without compromising the security of the systems. They may need to be capable of tunneling through firewalls, and for this to be acceptable to banks, each aglet environment will need a sophisticated security arrangement. However, the aglet of the one embodiment itself cannot “see” customer data, which is retrieved via the aglet environment and placed directly into a secure data container—the aglet can only read and match anonymous patterns and carry the secure data container, not read its contents. The aglet, once it is in its context in a bank's system, is really engaged in detecting aggregation nodes, and listening for any other sniffer aglets that may have located the same aggregation account from a different suspect starting account. It is not concerned with customer account details, but only with a limited set of indicator patterns, which may be retrieved by the aglet context, rather than by allowing the aglet any access to customer account data.
One embodiment of the present invention provides the sniffer aglets with sets of patterns to detect, first, potentially suspect cash transactions, and then patterns of converging transactions as amounts are aggregated. Aglets known in the art are already provided with means to communicate with other aglets, so it is straightforward to provide “rules of engagement” to allow two sniffer aglets to “join forces”. Aglets also have the power to clone themselves, making them very suitable to follow diverging paths of transfers, as well as converging paths.
In one embodiment, an aglet environment is constructed with the capability of accepting secure, trusted aglets and permitting them to await the triggering of a transaction event that can be tested against the suspect pattern templates with which they are provided. The aglets are programmed, for example to test for patterns of aggregation of small amounts into larger amounts by transfer of funds by wire from what was originally a suspected transaction structuring account. The aglet carries with it a first secure data container containing data gathered during the original alerting process at the bank where the aglet was initiated. The aglet also queries the aglet environment for the existence of other aglets, so that the aglets can combine forces if they discover that both are triggered by pattern-matched events on the same account. The aglets may further be equipped with the capability of triggering the aglet context to examine account names, destinations etc. for any that are on the watch list (Suspect Territory account holders, Suspect Persons lists, etc.). The aglet may not need to carry these lists with it, as they will already be stored somewhere in the bank's system, and thus will be accessible by the aglet environment on the system. The aglet may then alert the aglet environment, which creates a secure data container into which all transaction data that is already stored in the first secure data container, and any further data gathered at this bank can be stored. If the probability of a false positive is determined to be low, the aglet requests the aglet environment to alert the bank. If there is an onward transfer of funds the aglet clones itself and sends its clone onward with the transfer.
It will be appreciated that the method described above will typically be carried out in software running on one or more processors (not shown), and that the software may be provided as a computer program element carried on any suitable data carrier (also not shown) such as a magnetic or optical computer disc. The channels for the transmission of data likewise may include storage media of all descriptions as well as signal carrying media, such as wired or wireless signal media.
The present invention may suitably be embodied as a computer program product for use with a computer system. Such an implementation may comprise a series of computer readable instructions either fixed on a tangible medium, such as a computer readable medium, for example, diskette, CD-ROM, ROM, or hard disk, or transmittable to a computer system, via a modem or other interface device, over either a tangible medium, including but not limited to optical or analogue communications lines, or intangibly using wireless techniques, including but not limited to microwave, infrared or other transmission techniques. The series of computer readable instructions embodies all or part of the functionality previously described herein.
Those skilled in the art will appreciate that such computer readable instructions can be written in a number of programming languages for use with many computer architectures or operating systems. Further, such instructions may be stored using any memory technology, present or future, including but not limited to, semiconductor, magnetic, or optical, or transmitted using any communications technology, present or future, including but not limited to optical, infrared, or microwave. It is contemplated that such a computer program product may be distributed as a removable medium with accompanying printed or electronic documentation, for example, shrink-wrapped software, pre-loaded with a computer system, for example, on a system ROM or fixed disk, or distributed from a server or electronic bulletin board over a network, for example, the Internet or World Wide Web.
It will be appreciated that various modifications to the embodiment described above will be apparent to a person of ordinary skill in the art.
Number | Date | Country | Kind |
---|---|---|---|
0314899.6 | Jun 2003 | GB | national |
PCT/GB03/05567 | Dec 2003 | WO | international |