Including Social Network Analysis
John C. Brocklebank, Ph.D.
Vice President, SAS Solutions OnDemand Advanced Analytics Lab
SAS Fraud Framework for
Banking
2
SAS Fraud Framework for Banking
Introduction to SAS Fraud Framework
SAS Fraud Framework Demo
Preliminary Results
Starting with the SAS Fraud Framework
Fraudsters
• Far more sophisticated – organized crime, patient, sharing of rules
• Engaging insiders to understand detection environment
• High velocity of attacks – disappear after 2-3 transactions
• Hitting multiple channels and industries at the same time
• Continuously evolving fraud strategies
Current Fraud Systems
• Systems are silo’d by line of business
• Current systems act on transaction or customer
• Rules and predictive models have limitations
• No sharing of data
• Rely on 3rd party systems
• No real proactive steps taken to combat 1st Party Fraud
• Evidence insufficient to act upon
4
Robust and Flexible Framework Capabilities
• Support for real-time, intra-day, batch execution
• Ability to use existing data infrastructure
• Ability to use existing fraud alert output from any LOB / 3rd party
• Business intelligence for all levels of users
Support for Business Functions
• Provide strategic insight into threats, trends, risks
• Enterprise view of fraudulent behavior
• Rapidly test , simulate, and deploy models/rules without
dependence on IT
• Ability to provide single view for investigators
Phased Approach to Support Tactical and Strategic
Initiatives
Innovation in Detection Driven by Industry
AML
Banking Insurance Health Care Government
Internal Fraud Card (Credit & Debit)
Credit Risk
Warranty Auto
Worker’s Comp Fraud Life Insurance Fraud
Policy Pricing / Premium Evasion
Medical Fraud Dental / Vision Fraud
Prescription Drug Fraud Medicare / Medicaid (DME) Fraud Social Services Tax Evasion Program Evasion Law Enforcement
Detection and Alert
Generation Alert Management Social Network Analysis Case Management
Business Intelligence Data Integration Analytics Storage
Fraud Framework
Business Analytics Framework
SAS Fraud / Social Network Analysis Vision
1st/ 3rdParty Fraud
Auto and P&C Fraud Social Services Fraud
Account Fraud Social Services Householding/ Campaign Marketing Contagious Churn Telco
6
Proactively applies combination of all 4 approaches at account, customer, and network levels
Hybrid Approach
SAS Fraud Framework
Using a Hybrid Approach for Fraud Detection
Suitable for known patterns
Suitable for unknown patterns
Suitable for complex patterns
Suitable for associative link patterns Customer Account Trans-action Appli-cations Internal Bad Lists Employee Operational Data Sources 3rdParty Flags Call Center Logs Rules Rules to filter fraudulent transactions and behaviors Examples: • Txns in different time zones within short period of time • 1st Txn outside US
• Cash cycling event
Anomaly Detection
Detect individual and aggregated abnormal patterns
Example:
• Wire transactions on account exceed norm • # unsecured loans on
network exceed norm • Accounts per address
exceed norm
Predictive Models
Predictive assessment against known fraud cases
Example:
• Like wire transaction patterns
• Like account opening & closure patterns • Like network growth
rate (velocity) Social Network Analysis Knowledge discovery through associative link analysis Example: • Association to known fraud • Identity manipulation • Transactions to suspicious counterparties
Analytic Engine
Use when no target exists
Examine current behavior
to identify outliers and
abnormal transactions that
are somewhat different
from ordinary transactions
Include univariate and
multivariate outlier
detection techniques, such
as peer group comparison,
clustering, trend analysis,
and so on
8
Analytic Engine
Use when a known target
(fraud) is available
Use historical behavioral
information of known fraud
to identify suspicious
behaviors similar to
previous fraud patterns
Include parametric and
nonparametric predictive
models, such as
generalized linear model,
tree, neural networks, and
so on
Analytic Approach: Supervised Methods
Fraud Scores
Predicted Fraud Scores Incomes # of previous
Analytic Engine
10
Analytic Engine
Analytic Approach: Text Mining
Why Social Network Analysis?
More fraud / actionable cases identified
• Including both previously undetected networks and extensions to
already identified cases
Reduction in false positive rates
• SNA reduces false positives by up to 10+ times over traditional
rules-based approaches
Improved analyst / investigation efficiency
• Each referral takes 1/2 – 1/3 the time to investigate using SAS’ fraud
network visualization on aggregated data
Significant increase in ROI per analyst / investigator
Can be leveraged for credit risk, marketing, householding,
AML
12
Network scoring
• Rule and analytic-based
Analytic measures of
association help users know
where to look in network
• Net-CHAID for local area of
interest (node) in the network
• Density, Beta-Index (network)
• Risk ranking with
hypergeometric distribution, degree, closeness,
betweenness, eigenvector, clustering coefficients (node)
SAS Social Network Analysis
SAS Fraud Framework
Process Flow
Alert Generation Process
Social Network Analysis Network Rules Network Analytics SNA Server Administration Business Rules Analytics Anomaly Detection Predictive Modeling Fraud Data Staging Intelligent Fraud Repository Exploratory Data Analysis & Transformation Operational
Data Sources
Case Management Alert Management & BI / Reporting Learn and Improve Cycle ARC RTS IRIS WC Claims
14
16
SAS Fraud Framework
History
Built on SAS Foundational Components
• SAS Business Analytics Framework in production since October 2002
• Alert Generation Process in production since 2003
• Social Network Analysis using OR macros, NVW since1999
SAS Fraud Framework / Alert Management UI
• First production release in January 2008 (thick NVW client)
• Release 1.0 with thin Flex client September 2008
• Installed v2.0 (field release of thin client used for pilots across industries)
SAS Fraud Framework V2.1
• First production release with thin client interface
• Available now for implementation (in use by current customers)
