Blogging live again from EBRC - this session is on AML Business Rules at PostFinance (part of Swiss Post) by Oliver K. Burnand who heads up compliance for PostFinance, the FSI within Swiss Post. Provides transaction processing as a public service, now almost all electronic with ATMs and debit. PostFinance is now a full retail bank including investments, payments, savings, retirement planning and so on. Customers are mostly private customers with low to medium assets and a small number of large companies/institutions. 3.2m accounts, so not very large. 800m transactions a year (2m/day with peaks up to 12m). Anti-Money Laundering (AML) is handled differently for PostFinance but many of the same rules.
AML has two particular areas - Know your Customers, Know your Transactions. PostFinance posts 80% by volume of transactions but very low assets per customer and manual supervision of transactions therefore not practical. PostFinance customers often pay into someone else's account in cash and this is unique to PostFinance. Indeed people can transfer cash to each other without either party having accounts, making "smurfing" particularly hard to detect.
For AML, had hoped to buy a package but ended up using a rules management system. Analytics are unusual in AML, unlike other kinds of fraud, as the number of money-laundering transactions is often too small for training. Rules are then critical and agility, being able to change those rules quickly, is also important. The rules are run in batch, for customer monitoring, transaction monitoring and occasional customer monitoring. Each kind of monitoring is designed to generate cases for subsequent follow-up. Identifying the cases is the job of rules:
- Transaction monitoring is transaction at a time, rules target specific thresholds and risky countries.
- Client monitoring assembles a profile from all the transactions related to a client in a period and rules look for patterns in transactions. Rules ensure that only one case can be generated per client
- Cluster monitoring handles customers without customers and uses rules and name matching algorithms (from digitized forms) to find clusters that looks suspicious.
Also applies rules to do customer risk analysis so as to categorize the customers. All the business rules are managed by business users, which can be hot-deployed to the system. Business users can run simulations to see what happens when rules are changed. The rules, shown in decision trees with audit trails, are very compliance friendly. The system they use allows decision trees only and these can call other decision trees to keep rules manageable. Although AML is very rule-centric, there is a need for peer groups to do the assessment. Data mining is then used to create more statistically significant groupings (something I talked about in the context of improving profits here). This moves the solution from just rules to a rules+analytics model and closer, therefore, to what I would call enterprise decision management or EDM. This helped simplify the development of rules by replacing them with statistical models and provided a certain element of a self-adjusting system as the peer groups change over time.
I have blogged about rules and Anti-Money Laundering systems before and commented on the performance needs of this particular system, and the fact that mainstream business rules products like Blaze Advisor support the kind of sequential, high-performance execution this system required, here when they were written up by Forrester. His slides are here.