SYSTEM AND METHOD FOR EVALUATION OF MONEY TRANSFER PATTERNS
A system and method for evaluating records of money transfers for suspicious or irregular transaction patterns. A fraud processing server evaluates money transfer records by blocks, each block consisting of records having the same characteristic relating to location, such as the country where the transfer originates. A second characteristic of the records, such as value, sending agent, or time-of-day, is aggregated and compared to a threshold value. If the threshold value is met, the block of records is analyzed to identify individual records that are suspicious or irregular.
Latest First Data Corporation Patents:
This application is a continuation-in-part of U.S. patent application Ser. No. 10/091,000, filed Mar. 4, 2002, entitled “Money Transfer Evaluation Systems And Methods,” the entire disclosure of which is hereby incorporated by reference.
BACKGROUND OF THE INVENTIONElectronic transactions, such as electronic money transfers, play an important role in today's economy. Money transfers may be performed in a variety of ways, including, for example, by using the Internet, by using a phone to contact a service representative or an IVR system, by an in-person visit to a financial institution or money transfer location, and the like. For example, to perform a money transfer transaction a sender may visit a money transfer location and fill out a money transfer application. This application may request, among other things, the name of the sender, the name of the recipient, a pick-up location, the amount of money to be transferred, and depending on the amount, certain kinds of identifying data (such as sender's driver license number, social security number, and so forth). This information is transmitted to a central database, and the money to be transferred is collected from the sender. When ready to receive the money, the recipient may proceed to the pick-up location and provide the proper identification. The database is accessed to confirm the recipient and to determine the amount of money to be paid to the recipient. After payment, the date and time of payment may also be transmitted to the database.
It has been reported that some have attempted to abuse money transfer systems, such as persons associated with organized crime, drug dealers, terrorist organizations and the like. Various procedures exist to curb such abuses. For example, the United States government has implemented laws and regulations with reporting and other requirements that aim to reduce the improper use of monetary transfer transactions. For example, in the United States current money transfer regulations require a sender provide a photo ID if a transaction is $1000 or more, and two IDs and a social security number if a transfer is $3000 or above. However, reporting requirements are well known to criminal elements, and are thus easily avoided by manipulating money transfer activities to avoid detection. In addition, regulatory reporting requirements may be useful in detecting suspicious individual transactions after they have been conducted, but are not useful to detect groups of transactions that individually are not suspicious, but taken as a whole may indicate patterns of transactions or activity that are suspicious or irregular.
BRIEF SUMMARY OF THE INVENTIONThere is provided, in accordance with embodiments of the present invention, a network/system and method for detecting and evaluating suspicious or irregular patterns of money transfer transactions.
In one embodiment, a method for evaluating electronic money transfers includes electronically storing records of money transfer requests, each record having a first data field representing a first characteristic of the money transfer request and a second data field representing a second characteristic of the money transfer request, sorting the money transfer records to create at least one data block where the records all have the same first characteristic (such as location), calculating a collective value for the second characteristic, comparing the collective value against a predetermined threshold value, indicating a potentially suspicious/irregular money transfer pattern if the collective value meets the threshold value, and analyzing individual records within the block for irregular money transfers if an irregular money transfer pattern has been indicated.
A more complete understanding of the present invention may be derived by referring to the detailed description of the invention and to the claims, when considered in connection with the Figures.
BRIEF DESCRIPTION OF THE DRAWINGSIn the Figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label with a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.
There are various embodiments and configurations for implementing the present invention. Generally, the embodiments provide systems and methods for using blocks of money transfer records in order to identify or indicate potentially suspicious or irregular money transfer patterns. If a block of money transfer records has a potentially irregular pattern, that block is then subjected to a more detailed analysis to determine if specific transfers within the block are likely to be criminal, fraudulent or otherwise improper.
The evaluation of money transfer patterns provides many useful features and advantages. For example, suspicious money transfer patterns not only alert a system operator of the need to investigate further for fraudulent or criminal activity, but also provide a basis for monitoring money transfer agents and their compliance with standards and policies for accepting money transfer requests.
The evaluation of money transfers may include several major sub processes. In some embodiments, the evaluation involves three sub processes: sorting the money records into predefined blocks of data, evaluating the blocks for suspicious patterns, and then analyzing any block having a suspicious pattern.
In the first sub process (sorting all money transfer records into one or more blocks), the blocks are sorted according to a first characteristic, which in disclosed embodiments relates to location. In specific examples, the location may be associated with the country where the money transfer request was made, or the agent network that processed the money transfer request.
In the second sub process, the blocks are then evaluated for patterns that indicate suspicious activity. For example, a money transfer system operator may periodically evaluate all money transfers being requested within a specific country, and those transfers have been sorted into a block of records in the first sub process (the sort may be done in a batch form, say at the end of each business day). Then, in the second sub process that block of records is evaluated for indicators of suspicious activities by collectively looking at one or more second characteristics of the records (different than the first characteristic). As examples, the second characteristic may relate to something other than location, such as the volume of activity, the average transferred amount, the number of transfers that fall within a monetary range or band that might be suspicious (e.g., very large amounts, or very large numbers of smaller amounts), or the time of day that money transfers are made.
In one specific example to be described below, the number of transactions falling within certain ranges are counted. The ranges may be selected to reflect regulatory requirements. For example, money transfers involving large amounts are required by authorities in some jurisdictions to be accompanied by additional sender identification (e.g., in the United States, two IDs plus a social security number or tax ID are required for transfers of $3000 or more, as opposed to only a single photo ID if the money transfer is below $3000). A large count for transactions in a selected range, e.g., just below $3000 (i.e., $2800-2999), may indicate attempts by senders to avoid compliance with such regulatory requirements. There are, of course, many possible characteristics/patterns that may be evaluated in each block (as will be described below).
Finally, a third sub process is used to analyze any block that has been indicated as having suspicious patterns. This analysis could be manual (especially if the block is not large), but more likely would be computerized. In one embodiment, the analysis is done using the process described in the aforementioned application Ser. No. 10/091,000, by taking the block of records (having the suspicious pattern) and assigning reference designators for records that share certain similar or identical data fields. This analysis is particularly useful in the present invention, since the records are available electronically and have already been sorted into a block of interest (i.e., country, agent network, or other location).
Turning now to the drawings,
Interface system 125 comprises a transaction center 130 and one or more terminals 110 in communication via a terminal network 120. Terminal network 120 can be any communication network capable of transmitting and receiving information in relation to a transfer of value from one entity to another. For example, terminal network 120 can comprise a TCP/IP compliant virtual private network (VPN), the Internet, a local area network (LAN), a wide area network (WAN), a telephone network, a cellular telephone network, an optical network, a wireless network, or any other similar communication network. In particular embodiments, terminal network 120 provides message based communications between terminals 110 and transaction center 130.
Terminals 110 can be any terminal or location where value is accepted and/or provided in relation to money transfers across money transfer system 100. Thus, in some instances, terminal 110 is at a money transfer agent location, such as a convenience store where a clerk can receive value from a sender and initiate transfer of the value to a receiver via money transfer system 100. In such cases, the clerk can typically also provide transferred value to a receiver.
In other instances, terminal 110 is an automated system for receiving value from a sender for transfer via money transfer system 100 and/or for providing value to a receiver that was transferred via money transfer system 100. To accommodate various different payment instruments and types, terminal 110 can include a variety of interfaces. For example, terminal 110 can include a mechanism for receiving cash, credit cards, checks, debit cards, stored value cards and smart cards. Such terminals may also be used at the payout end to print a check or money order, or to credit a cash card or stored value card. Examples of such terminals are described in U.S. Pat. No. 6,547,132 (U.S. application Ser. No. 09/634,901, entitled “POINT OF SALE PAYMENT SYSTEM,” filed Aug. 9, 2000 by Randy J. Templeton et al.), which is hereby incorporated by reference.
In yet other instances, terminal 110 is a personal computer operated by a sender of value. Such a terminal can be communicably coupled to transaction center 130 via the Internet. The terminal can further include a web browser capable of receiving commands for effectuating transfer of value via money transfer system 100.
Terminal identification information can be associated with each terminal 110. Such identification information includes, but is not limited to, a physical location, a telephone number, an agent identification number, a terminal identification number, a security alert status, an indication of the type of terminal, a serial number of a CPU, an IP address, the name of a clerk, and the like.
Terminals 110 may also be operated in agent networks, i.e. a plurality of terminals at different locations may operated by the same agent entity. There could many such agent networks within system 100 at locations around the world.
Using money transfer system 100, value can be transferred from any of a number of points. For example, value can be transferred from terminal 110 to itself or any other terminal 110, from any terminal 110 to a deposit account via deposit maintenance network 150 or credit maintenance network 160, from any terminal 110 to any ATM 114 via ATM network 140. Many other transfers to/from ATMs 114, deposit accounts, terminals, and/or credit accounts can be accomplished using money transfer system 100. The ATM system 145 is only illustrative, it being understood that such a system is merely one of many possible optional means for money to be conveniently transferred/received without the use of conventional, agent-operated money transfer terminals, and the transfer of money within system 100 may or may not involve the use of ATMs 114.
Referring to
Settlement engine 137 may be used to facilitate the crediting and debiting of various accounts during a transfer. For example, if a sender requests that funds from a credit card account be used in the transfer, settlement engine 137 is used to contact credit maintenance network 160 to charge the card and to manage the fees involved in the transaction. Such fees may be those charged by the credit organization as well as internal fees that are a part of the money transfer transaction. Settlement engine 137 may be used in a similar manner when crediting or debiting checking accounts, stored value accounts, customer loyalty (e.g., frequent flyer) accounts and the like.
In some cases, the sender may also wish to send a message with the value. Such a message may be a simple greeting, business or legal terms, and the like. Messaging engine 138 is employed to convert the message to the proper format depending on the type of output device that is to be used with receiving the money. For example, the output device may be a printer that physically prints the message onto some type of media. Alternatively, the message may be temporarily displayed on a display screen, such as on a kiosk, ATM machine, point of sale device, an e-mail, a web page or the like. The sender or recipient may also indicate that the message needs to be translated to a different language. In such cases, message translator 139 may be used to translate the message into the other language. This may be accomplished by simply doing a word look up for each corresponding word in the other language. More complex language translation capabilities may also be used.
Once a value transfer is properly processed, data indicating the transfer is sent by a switch 134 to the appropriate network as shown. This may be to ATM network 140, deposit maintenance network 150 and/or credit maintenance network 160 to complete the transaction.
A monitoring or fraud watch system 210 includes a fraud processing server 220 and a watch database 230. Fraud watch system 210 is associated with transaction center 130 in a manner that allows for access to transaction database 136. Such association can be provided by direct wired communication between transaction database 136 and fraud processing server 220, by direct or network communication between transaction center 130 and fraud processing server 220, or by any other mechanism that provides fraud watch system 210 with access to transaction database 136. In one particular embodiment, fraud processing server 220 is communicably coupled to terminal network 120 and accesses transaction database 136 via network processor 132 and host 133. In another embodiment, fraud processing server 220 is directly coupled to host 133 and accesses transaction database 136 via host 133. It will be recognized by one of ordinary skill in the art that a number of other mechanisms exist within the scope of the present invention for providing access by fraud processing server 220 to transaction database 136.
Fraud processing server 220 can be a microprocessor based device capable of retrieving data from transaction database 136, searching and manipulating the data, maintaining a form of the data on watch database 230, and providing access to data at database 230. Such access to the data can include formatting the data and providing the data in an easily accessible form. In some embodiments, fraud processing computer is a single computer, such as a personal computer or a database server. In other embodiments, fraud processing server is a group of two or more computers. In such embodiments, fraud processing computer can include a central computer associated with one or more peripheral computers. Such peripheral computers can be personal computers or portable devices, such as lap top computers and/or personal digital assistants. In a particular embodiment, fraud processing server 220 includes a SQL server, while in other embodiments, it includes an ORACLE server.
Fraud processing server 220 includes a computer readable medium capable of maintaining instructions executable to perform the functions associated with fraud processing server 220. The computer readable medium can be any device or system capable of maintaining data in a form accessible to fraud processing server 220. For example, the computer readable medium can be a hard disk drive either integral to fraud processing server 220 or external to the server. Alternatively, the computer readable medium can be a floppy disk or a CD-ROM apart from fraud processing server 220 and accessible by inserting into a drive (not shown) of fraud processing server 220. In yet other alternatives, the computer readable medium can be a RAM integral to fraud processing server 220 and/or a microprocessor (not shown) within the server. One of ordinary skill in the art will recognize many other possibilities for implementing the computer readable medium. For example, the computer readable medium can be a combination of the aforementioned alternatives, such as, a combination of a CD-ROM, a hard disk drive and RAM.
Referring to
As illustrated in
At step 320, the parsed and stripped records are batched by host 133 and transaction database 136, and then are transferred for storage and processing at the server 220 and database 230 (step 322). While parsing and stripping are illustrated as performed at host 133 (this could reduce the amount of data needing to be stored at watch database 230), it should be appreciated the entire money records from transaction database 136 could be transferred to server 220 and database 230, with parsing and stripping steps then performed at server 220 after the transfer.
The records are then evaluated for indications of suspicious or irregular patterns (step 324), as will be described below in conjunction with
Referring to
Next, the system takes all records within each block and aggregates the data in selected fields of the records (to create collective value for each field), according to selected secondary categories or characteristics (step 412). As one example (to be described later in conjunction with
At step 420, the server 220 compares the aggregated category/secondary characteristic data to predetermined red flag or threshold values, and provides a report (step 430) of any patterns that are potentially suspicious. The report can also include a simultaneous comparison of the same data to previous periods (step 422). Comparisons to previous periods (e.g., previous week, previous month) are useful when the system 210 is being used to monitor agent networks for compliance with policies and procedures (increasingly irregular data patterns may indicate a need for compliance training, and improving data patterns may indicate the success of a recent compliance program).
Referring to
Another example of evaluating a block of records is seen in
As mentioned earlier, there are many possible characteristics that can be considered in aggregating data for suspicious patterns and comparison to red flags/thresholds. The following describes examples of such characteristics, it being understood that such description is not intended to be limiting:
Country Corridor Characteristics
For a given country, various characteristics of transactions to other countries can be evaluated, such as total number of transactions, total monetary amount of all transactions, the smallest and largest transactions, and the ratio of payees to senders. Past experience can lead to developing threshold values that represent an unusual level of activity. An aggregated value for any characteristic that exceeds the threshold represents a suspicious pattern.
As an example, these characteristics may be evaluated for all daily money transfers from the U.S. to each of several dozen other countries, including Nigeria. A high ratio of payees to senders for transfers from the U.S. to Nigeria (as compared to transfers from the U.S. to other countries) may indicate that large amounts of money are being distributed to Nigeria using many money transfers in smaller amounts, in an attempt to launder money.
Agent Characteristics
For each agent within one sending country, the total number of transactions, total monetary amount of all transactions, or the total number of payees/recipients that exceed predetermined thresholds may represent an unexpectedly high level of activity by one agent, and hence a suspicious pattern.
Agent to Agent Characteristics
The number of transactions (within one sending country) from each sending agent to each receiving agent might represent (if exceeding a predetermined threshold) a suspicious pattern, due to an attempt by a sending agent to steer transactions to a pick-up location or agent chosen or preferred by the sending agent, rather than chosen by the sender. Compliance training for the sending agent may be warranted.
Consumer Characteristics
For a given country, and for each sender, the total number of transactions, the total monetary amount of all transactions, and the total number of payees may indicate a pattern of senders attempting to launder money by transferring large amounts of money to multiple payees/recipients.
Biographical Characteristics
These characteristics include the nature of the sender's ID (photo or no photo), social security number, phone number, and so forth. Any aggregation that exceeds a threshold may represent an irregular or suspicious pattern. As an example, a large number of transactions using one social security number may indicate a suspicious pattern. As another example, a high percentage of transactions (e.g., 80%) completed by one sending agent without photo IDs being presented by the sender may be a suspicious pattern and indicate compliance training for that agent is warranted.
Once a block of data had been identified as having potentially suspicious patterns, that block (or, if desired, a selected subset of the block) is then subject to further analysis at step 324 (
One such process for analyzing individual records in shown in
This is illustrated in
Each reference designator (cluster of money transfer records) can then be searched or analyzed (step 656) to identify specific sender names, specific recipient names or other identifying data associated with likely fraudulent or criminal activity. This final analysis can be done manually or may involved automated checking (using fraud processing server 220) of the common data fields in reference designator lists against known suspect user names or other identifiers.
As should be apparent, methods other than that described above are available for analyzing blocks of records having suspicious patterns, as represented by step 324 in
While a detailed description of presently preferred embodiments of the invention has been given above, various alternatives, modifications, and equivalents will be apparent to those skilled in the art without varying from the spirit of the invention.
Therefore, the above description should not be taken as limiting the scope of the invention, which is defined by the appended claims.
Claims
1. A method for evaluating electronic money transfers, comprising:
- electronically storing records of money transfer requests, wherein each record is associated with a money transfer request and has at least two data fields, a first data field representing a first characteristic of the money transfer request and a second data field representing a second characteristic of the money transfer request;
- sorting the money transfer records to create at least one data block, wherein all records in the data block have the same first characteristic;
- calculating a collective value of the second characteristic of all the records in the data block;
- comparing the collective value against a predetermined threshold value, threshold value chosen to represent potentially irregular money transfer transactions;
- indicating a potentially irregular money transfer pattern if the collective value meets the threshold value; and
- analyzing individual records within the block for irregular money transfers if an irregular money transfer pattern has been indicated.
2. The method of claim 1, wherein the first characteristic is related to the location of the money transfer request.
3. The method of claim 2, wherein the first characteristic is the country where the money transfer request in made.
4. The method of claim 2, wherein the first characteristic is the agent network receiving the money transfer request.
5. The method of claim 2, wherein the second characteristic is related to the value of the money transfer request.
6. The method of claim 5, wherein the value of each money transfer request is assigned to one of a plurality of value bands, each band representing a predetermined range of transferred monetary amounts, and wherein the collective value represents the number of money transfer requests having transferred monetary amounts falling within one of the value bands.
7. The method of claim 6, wherein predetermined range has an upper limit below $3000.
8. The method of claim 7, wherein predetermined range has a lower limit above $2800.
9. The method of claim 2, wherein the second characteristic is related to the time-of-day of each transaction.
10. The method of claim 9, wherein the second characteristic is related to whether the transaction is during normal business hours or outside normal business hours, wherein the collective value is the total number of transactions outside normal business hours, and wherein the threshold value is a percentage of the transactions outside normal business hours in relation to the total number of transactions.
11. The method of claim 10, wherein the comparing step compares, for each of a plurality of agents, the collective value of the total number of transactions outside normal business hours to the threshold value.
12. The method of claim 2, wherein the second characteristic is chosen from a group consisting of:
- transaction value band characteristics;
- country corridor characteristics;
- agent characteristics;
- agent to agent characteristics;
- consumer characteristics; and
- biographical characteristics.
13. The method of claim 1, wherein the electronic records are stored at a money transfer system, wherein the stored records are transferred to a monitoring system programmed for carrying out the steps of sorting the money transfer records, calculating a collective value for the second characteristic of all the records in the data block, comparing the collective value of the second characteristic against a predetermined threshold value, indicating a potentially irregular money transfer pattern if the collective value of the second characteristic of all records in the data block meets the threshold value, and analyzing individual records within the data bock for irregular money transfers, and wherein the threshold value is a red flag threshold selected by the operator of the money transfer system based on experience.
14. The method of claim 1, wherein the money transfer records include a first sender identification associated with a first money transfer request and at least a second sender identification associated with a second money transfer request, and wherein the step of analyzing individual records comprises:
- performing an analysis of the records, wherein the analysis indicates the first sender identification and the second sender identification are related;
- creating a reference designator, wherein the reference designator is associated with records having the related first and second sender identifications; and
- searching the records associated with the reference designator to determine if any of records are suspicious money transfer requests.
15. The method of claim 14, wherein the step of searching includes searching the records to determine if any of the money transfer requests are by a known suspicious user.
16. A method for evaluating electronic money transfers, comprising:
- receiving a plurality of money transfer requests;
- electronically storing records of the money transfer requests, wherein each record is associated with one money transfer request and has data that defines characteristics of that money transfer request, including at least an location characteristic relating to the location where the money transfer request was made and a transaction characteristic relating to a characteristic other than location;
- sorting the money transfer records into at least one block, wherein all records in the block have the same location characteristic;
- aggregating the transaction characteristic of all the records in the block to arrive at a collective value for the transaction characteristic;
- defining a red flag threshold level for the collective value, the threshold level chosen to represent, if met, a suspicious money transfer pattern;
- comparing the collective value for the transactional characteristics with the threshold level;
- indicating a suspicious money transfer pattern if the collective value for the transaction characteristic meets the threshold level; and
- analyzing individual records within the block if a suspicious money transfer pattern has been indicated.
17. A system for evaluating money transfer records, comprising:
- a database for storing a plurality money transfer records, each record having a plurality of data fields relating to the money transfer, including a first field relating to a characteristic of the location where the money transfer was requested and a second field relating to a transaction characteristic not related to location;
- a fraud processing server for evaluating the money transfer records, the fraud processing server programmed to: sort the money records into one or more blocks of records, each block having the same characteristic in the first field; aggregate the data in the second field of the records in the block to obtain a collective value of the characteristics in the second field; compare the collective value to a threshold value, wherein the threshold level is chosen to represent, if met, a suspicious money transfer pattern; and
- indicating a suspicious money transfer pattern if the collective value meets the threshold value, so that the block of records can be further analyzed to identify suspicious individual money transfers.
18. The system of claim 17, wherein the characteristic in the first field identifies the country where the money transfer request in made.
19. The system of claim 17, wherein the characteristic in the first field identifies the agent network processing the money transfer request.
20. The system of claim 17, wherein the characteristic in the second field identifies the value of the money transfer request.
21. The system of claim 17, wherein the characteristic in the second field identifies the time-of-day of each transaction.
22. The system of claim 17, wherein the characteristic in the second field is chosen from a group consisting of:
- transaction value band characteristics;
- country corridor characteristics;
- agent characteristics;
- agent to agent characteristics;
- consumer characteristics; and
- biographical characteristics.
23. The system of claim 17, wherein the database is a fraud watch database, wherein records are collected and stored by a host computer and an associated transaction database within an money transfer system in response to money transfer requests by senders of money transfers, and wherein the fraud watch database and fraud processing server are separate from the host computer and transaction database, in order to minimize operational impact on the host computer and transaction database.
Type: Application
Filed: Sep 26, 2006
Publication Date: Mar 29, 2007
Applicant: First Data Corporation (Greenwood Village, CO)
Inventors: Seth Tolbert (Highlands Ranch, CO), Noel Brandt (Highlands Ranch, CO), Robert Bulkley (Castle Rock, CO), Robert Degen (Parker, CO)
Application Number: 11/535,362
International Classification: G06Q 40/00 (20060101);