1. Lars Erik Bolstad
Data Scientist, DNB Group AML
Detecting suspicious activity using
graph data

2. Money laundering: Disguising financial assets so they can be used without
detection of the illegal activity that produced them
Anti Money Laundering:
 Customer risk classification
 Transaction monitoring*
 Sanctions screening (countries, individuals, legal entities)
 Terrorist financing*
 Compliance: «Hvitvaskingsloven», EU, USA
 Risk: Fines, Lawsuits, Reputation, Trust, Social responsibility
 Duty: Report suspicious activities to FIU (Økokrim)
AML: What and why

3. AML in DNB
Risk typologies,
Red flags
«Scenarios»:
Rules that match
risk indicators,
Models that detect
suspicious
behaviour
Transaction
monitoring =>
Alerts
Investigation,
report to EFE
(Økokrim)

4. Challenges with the rules-based approach
• Rules match individual customers
• Less suitable for detecting more complex activity patterns

5.  All DNB’s customers (4.7M)
 All external transaction counter parties (32M)
 Aggregated transactions (12 months) (100M)
 Company roles (CEO, shareholder, board member, beneficial owner etc)
 Addresses, Email addresses, Phone numbers, Device IDs
 AML and Fraud cases
 ++
 48 million nodes
 154 million edges
DNB’s AML Graph model

6.  Visualisation
 Detection
 More advanced use
 Graph algorithms and properties
 Machine learning and statistical models
Use cases

7. Graph visualisation
• Neo4j Bloom
• AML/Fraud Case investigation, KYC

8. Detection («Network scenarios»)
AWS Pipeline (Python)
 Cypher query  Query results
 Alerts
P2
HI
RISK
CRYPTO
foo
TRANS
P1
bar
C A
B
Y
X

9. Community extraction
Graph algorithms and properties
Features for machine learning models
 Shortest path (to AML Case)
 Centrality properties 1
2
2
4

10.  Graph Neural Network
 Supervised model trained on and run directly on graph
 Predicts likelihood that a customer is reported to EFE
 Mixed Effects Model
 Based on «connectedness» between individuals or companies via different relationship types
 Usage: Customer Risk Rating or Alert generation
«Advanced models»

11.  Aggregated transactions
 => Individual transaction
 5-7 million new transactions/day => ~2 Billion/year
 Entity resolution
 External counter parties
 Addresses
 Insight vs Privacy
 Finanstilsynet vs Datatilsynet
Some challenges
N N N N

12. 12