The plots and schemes of criminals are forever evolving as they scramble to stay one step ahead of civil society, but the best efforts of the law-abiding populace make this increasingly difficult. The unscrupulous have been forced to broaden their efforts to evade capture, putting more time and energy into keeping their newly acquired wealth beyond just stealing it in the first place. Faced with this predicament, they often turn to money laundering — the process by which illegal ‘dirty’ money is ‘cleaned’, allowing the holder to spend it freely.
Generally speaking, there are three stages to money laundering:
The first, placement, is the act of inserting ill-gotten money into the financial system, whether through a bank, shop, or any other legitimate business. The last, integration, is the final act where the newly cleaned money is involved in a legitimate transaction — putting the process to the test. While both are interesting subjects in their own right, it’s the filling of this fraudulent sandwich where our interests lie, and we can offer some relief.
Layering is the actual ‘cleaning’ process, the practice by which money is removed further and further from the crime one step at a time. There are countless ways in which this can be achieved, from buying physical commodities like gold, gems, or artwork, to fabricating services for businesses with minimal paperwork, such as a car wash. One of the simplest and most effective is money muling.
Through this method, dirty money is transferred from one crook to another and another and so on, until eventually its history is muddled, and it appears to be clean, legal tender. At first glance, this pattern might seem relatively easy to identify, but there’s a good reason it still plagues the financial sector — the immense scale and computational complexity of identifying the few suspicious transactions amongst the hundreds and thousands of legitimate transactions that occur.
Large scale machine learning solutions are often thrown at the problem and do provide good results when confronted with elaborate schemes. However, for simple cases such as money muling, this is excessive and provides no guaranty of detecting known patterns — potentially missing what is obvious to a systematic approach. Knowledge graphs and reasoning present an attractive alternative, and the best in class is RDFox with its high-performance capabilities.
Say, for example, a criminal ring using mules exists in which some members are known by institutions to be less than moral, but the rest are unsuspected. The challenge lies in identifying the whole group without dragging innocent people into the mix. To achieve this, we can look at their bank transfers — uncovering money flows that connect offending parties.
Regardless of the method we choose to tackle this problem, the first step is to gather the core components of the transactions, namely the date, value, originator, and beneficiary — information that an institution would have readily available.
Ultimately, we seek to identify cash flows that transfer wealth from one wrongdoer to another — known or otherwise. In reality it’s rare to see the entire amount passed along in a single transaction but as this changes little in our methodology, and for the sake of a clear explanation, we will act as though it’s commonplace. Having said that, it is an important element of real fraud so it would be negligent to gloss over it entirely. The practice of splitting the total sum is known as ‘structuring’ or ‘smurfing’ and is frequently used in parallel with mules. Small transactions are vastly more common than larger ones, so it's impossible for institutions to dedicate the same resources to tracking them. As a result, it’s much easier for criminals to hide several small transactions than a single large one.
With our objective in mind, we must define what connects adjoining transactions in such a way that they are similarly malicious. The foremost property is of course a shared associate, being the beneficiary of one and the originator of the other. From here we will select other features with some allowed tolerance, and begin to form chains of these troublesome transactions. It’s in these remaining details and their tolerance where issues arise, and reasoning prevails.
It doesn’t take a criminal mastermind to make joining the dots more difficult, so gangs often employ different strategies to disguise the chains or distort them enough as to slip through undetected. There are a couple of common traps regarding the aforementioned transaction details that we’d like to draw attention to. They highlight the fact that a system with reasoning is a perfect match for a problem such as this, and why solutions without are so cumbersome and slow. One is that the amount transferred usually differs from link to link, and another is that the order in which transactions occur does not have to follow the order of the chain itself. For example, an individual may pay forwards in advance of receiving their own deposit.
It might seem at first glance that SPARQL property paths present a perfectly adequate solution. However, there is a crucial failing: we can’t impose conditions on the transaction amount and have no way of following the flow of funds as an aggregate sum. We would end up creating an endless number of chains, the vast majority of which would contain innocent bystanders who happened to exchange money with our known criminal. Due to the fact that we can’t include additional variables within property paths, there is no way to distinguish between a malicious $10,000 provision and a $10 gift for a niece’s birthday. Despite the disparity, this would be added to the chain due to the role of the shady individual. This is only amplified as the chain proceeds, beginning to link innocents to innocents, marking them both as suspicious. Clearly there is a problem here.
Alternatively, we could use a series of INSERT queries that mimic the process of reasoning, each one adding in additional connections or details. The issue here however, is that of scale. Even if we constrain the maximum length of a chain (which we will do), the performance would take such a hit from the repeated processing that achieving results in any reasonable length of time would be impossible. To top it all off, the queries would have to be executed in the right order for the chain to be derived properly as a loss in methodical listing here would result in the chain fragmenting with no way to assemble it fully.
As you can see, detecting these patterns simply and without reasoning is an unreasonably tall order that crosses into the realm of unrealistic. With reasoning however, it becomes a lot simpler.
First of all, we can tag a transaction that involves a suspicious party as suspicious itself. This single transactional node can be thought of as a chain of length 1 that then becomes an anchor from which we construct the rest of the chain, adding subsequent transaction nodes that fit the criteria. Assuming our anchor is not always at the beginning or end of a chain, we must look both forwards (to the beneficiary) and backwards (to the originators) to see the whole picture. In doing so we create two sub-chains, each emanating from the suspicious transaction in opposite directions along the full chain.
As described before, we need to define what links two transactions, and again the most obvious property is that the beneficiary of one is the originator of the other. The next is ensuring the value at each node is similar — now a very simple task. By specifying a tolerance, all qualifying transaction pairs will be found incrementally. The sub-chains then start to take shape as we add in another constraint, now upon the time frame in which they occurred. We don’t need to specify any details about the order, just that they took place in a certain period — discounting exchanges that are years apart but happen to comply with the other restrictions. This process continues until there are no more eligible transactions or we reach a self-imposed limit on the length of the chains.
Finally, with the two chains now complete — one beginning with the suspicious transaction and the other ending with it — we combine them, creating a whole chain that covers the entire criminal ring.
With the reasoning capabilities of RDFox this whole process is done seamlessly and scales with large volumes of data as would be expected in a real scenario. Ever important, speed is maintained, and the rules mean the system is effortlessly malleable, able to be customised to deliver the best results.
As we noted earlier, solutions often suffer as a result of the colossal scale of operations, but this isn’t so with RDFox. Having applied our approach to a small dataset we wanted to push the limits further, expanding our four-core system to one hundred-core, able to handle hundreds of millions of transactions. What we observed was near-linear scaling — an excellent demonstration of why RDFox presents a formidable response to the call for fraud prevention.
For more on RDFox's scalable performance, check our enhancements to Wikidata querying.
The other big name in fraud detection is machine learning, an approach that offers a number of benefits that a knowledge graph, even with reasoning, cannot. However, we’re not here today telling you about our machine learning solution because the same goes both ways.
Machine learning algorithms examine the behaviour of a population, allowing for nuanced pattern recognition that can distinguish unknown elaborate schemes from the activity of everyday people — which can itself be perplexing. Although, due to their nature, these models lack the ability to consistently find all cases of a structured pattern and instead provide results with a level of confidence. This can be entirely avoided through the use of reasoning. The logic built-in to RDFox can and will identify every instance of a pattern without fail, combing through the fine details. It cannot be overstated how important this is in the pursuit of prevalent fraud, ensuring nothing is missed.
There are irrefutable advantages that come with the intricacies of machine learning, but in them also lies a pitfall. The algorithms are, more often than not, seen as black boxes to those who use them but didn’t design them, as the barrier for entry is incredibly high. This is a real problem when we consider the stakes. A wrong decision will mean an innocent person is accused of fraud and may undeservingly see financial, if not criminal, consequences. It becomes difficult to stand by a decision without knowing how it was reached. This problem dissipates with the use of rules as they very simply make a series of logical statements and inferences that can be easily understood with no room for error.
Now of course, we never claimed that reasoning was the sole solution; it is however, simple. It won’t replace the machine learning — able to detect elaborate as yet unknown fraud patterns — but it does cover the basics of what banks should be doing. The patterns learnt with machine learning can later be turned into executable rule based searches. Many see this as a minimal requirement, but it frequently goes unchecked — something we regard as inexcusable in light of the resources available.
The next step would be to combine both machine learning and reasoning over a knowledge graph — two approaches from opposite ends of the spectrum. This would create an all-encompassing system, capable of so much more than either method alone. RDFox is a prime candidate to fill the role of the underlying database. Its unmatched speed and performance make it the perfect companion for intensive machine learning algorithms, particularly when handling vast volumes of data, acting in support while adding value independently.
Society’s underbelly will always try to deceive and defraud the public, so we must strive to make it as difficult as possible, catching those we can in the process. Ever a rat race, there is no winning, but the purpose of this article is to show that it’s a race we can not just lead, but lead convincingly. Reasoning can be used to fill the last gaps left in our defences, identifying patterns such as those seen among money muling networks; and with that, our advantage is sealed.
Patterns, both simple and complex, are effortlessly detected with RDFox due to its rules, comprising exclusively of logical statements. Such a system ensures that each and every instance of a specified pattern is traced — the only requirement is to state the pattern beforehand. With that information, there’s no limit to what we can home in on and we certainly don’t intend to stop here.
If you know of a similar problem, or would just like to see what RDFox can do, you can try it for free here! We’re always open to new ideas so don’t hesitate to reach out if you’d like to discuss anything further.