Managing risk and threat

in financial services with

link analysis
Contents

The financial services threat landscape 4

What is link analysis? 5
What is timeline visualization? 5
Detecting & investigating financial fraud 6
Managing cybersecurity threats 12
Understanding and mitigating AML risks 14
Our toolkits 17
The financial services threat landscape
Financial services institutions face a complex set of challenges. Alongside
internal and industry risks, their position as financial powerhouses puts them
in the frontline of a range of external threats that need careful management.

As the leading providers of link analysis technologies, we’ve worked with financial services organizations
worldwide to build high-performance tools to manage risk and combat threats. It’s the right solution for a
wide range of use cases in the financial sector.

In this white paper, we’ll focus on some of the most common:

• Detecting and investigating financial fraud

• Managing cybersecurity threats

• Understanding and mitigating AML risks

We’ll also look at the role of timeline visualization, either as a standalone technique or integrated with link
analysis, in managing these threats and risks.

Financial services industry trends

Over the last few years, we’ve noticed several trends in the sector driving the need for our solutions.

Digital transformation
New technologies, customer demand for convenience and increased competition drive digital
transformation that’s constantly changing the face of finance. This reliance on digital services massively
increases the attack surface for cybercriminals.

Data breaches, malware attacks, network intrusions, identity theft: these are constant threats that
institutions must manage daily. Link analysis and timeline visualization, deployed alongside cyber security
information and event management (SIEM) platforms, offer an intuitive way to understand the challenge
and identify threats at scale.

Market consolidation
The global trend in financial services is towards consolidation and collaboration. To achieve that, many
organizations face the problem of getting complex, legacy IT infrastructures and systems working
together. They’re often left with data silos and inefficient duplication of tasks. Link analysis is a great way
to visualize complex network infrastructure, and also to analyze data across silos in a single unified view.

Increased regulation
Complying with relevant laws, regulations and rules reduces operational risk and makes institutions
run more smoothly. But regulations affecting finance change frequently, and they usually become more
complicated. The process requires the collection, analysis, and understanding of complex data at scale.
Link analysis, combined with interactive timeline visualization, is a great way to manage this.

4
Artificial Intelligence and Machine Learning
As data volumes grow, institutions turn to artificial intelligence and machine learning to make sense of
it. These technologies are great at finding anomalies, but more complex models require careful tuning to
guard against false positives. Humans still need to make the final decision. Link analysis makes these
complex situations easy to understand and communicate, and timeline visualization gives insight into
sequences of events and activity over time, driving clearer data understanding and better decision-making.

What is link analysis?

Link analysis is a technique for understanding connections and relationships. Whenever an event occurs
– someone makes a financial transaction, logs into their online banking app, applies for a loan, etc. – it
creates a digital footprint. Using link analysis, we visually connect those footprints, to uncover patterns
and anomalies and gain a deeper understanding of data in an intuitive and flexible way.

Link analysis isn’t new. Law enforcement and financial services organizations have used the technique
for decades. Link analysis tools, however, have improved significantly over time. Growing data volumes,
evolving threats, and distributed analyst teams have resulted in a new generation of web-based, fully
customizable tools.

What is timeline visualization?

Every event, from an insurance claim to an IT network connection, happens at a point or duration in
time. Timeline visualizations show those events in an interactive and scaleable format timeline, allowing
analysts to see what happened when, and how the events are linked.

An example of a link analysis chart (left), combined with a timeline

visualization (right)

Let’s look at some examples of link analysis and timeline visualization in action in the financial services
industry. The data we’ve used here is either simplified or synthesized, but the methodologies are used by
our customers every day.

5
Detecting & investigating financial fraud
The cost of fraud to the global economy in 2019 was over $5 trillion USD, and the financial services have
potentially the greatest exposure to that risk. Fraud management is one of the longest established use
cases for link analysis, used by fraud specialists to investigate known fraud, and detect unknown fraud.

Investigating known fraud

Known fraud is behavior that has been seen before and can be defined. We detect most incidences with
rule-scoring software, but use link analysis to investigate more complex cases.

Most known fraud systems work in a similar way. They collate, rule-score and sort large volumes of
transaction data into three categories: fraud, not fraud and unsure. Analysts manually review the ‘unsures’
- a balancing act between fast decisions that won’t delay customer transactions, and accurate decisions to
prevent fraud.

This link analysis chart shows vehicle insurance claim data. Nodes represent claims, vehicles, people, and
addresses:

As the analyst explores this link analysis chart, they call back to the database to find matches. This returns
all other claims with shared attributes, and adds them to the chart:

6
Analysts are looking for connections to other claims that they know are fraudulent, or that could indicate
fraud. One of the vehicles in the original claim, registration number DA53 RMX, was involved in a separate
claim just six months earlier. This is definitely worth investigating further.

Known fraud detection is about volume and speed. Analysts often need to approve or deny cases in
minutes, or sometimes seconds. The ability to make fast decisions with confidence is essential. Link
analysis gives the fraud analyst the at-a-glance view that makes this possible.

Timelines to investigate known fraud

While link analysis gives clear and fast answers to the ‘who’, ‘what’, ‘where’ and ‘how’ questions a fraud
investigator needs to ask, often they also need to understand the ‘when’ to get the full picture.

Timeline visualization allows investigators to unravel the sequences of events involved in a fraud case.

7
Here, for example, we can see a link analysis chart showing a credit card activity. Merchants are
represented by cart icons, and card holders by people icons. The links represent transactions - green is
approved, red is disputed.

While the link analysis chart shows us the transactions and their value, an investigator needs to unpick
the sequence of transactions over time to understand where fraud is happening. In scenarios like these,
timeline visualization is essential.

Let’s investigate Marc’s disputed transaction, for example, and make him the focus of our timeline. Very
quickly, we see a large transaction at Walgreens about 10 days before his his first disputed transaction.

Combining Marc’s card data with other cardholder information, we spot Paul with a strikingly similar
transaction history. Both have high-value disputed transactions at Walgreens at around the same time.
They also both visited a Walmart store a week or two before their first disputed transactions. Were their
cards cloned at Walmart?

8
This simple example shows how timeline visualization gives a different perspective on connected fraud
data, revealing patterns in time that would otherwise be difficult to unravel.

Detecting unknown fraud

Unknown fraud is behavior that has not been encountered before and cannot be detected automatically.
It requires a human to identify new or unusual patterns. Here, link analysis is used as a detection tool.
Analysts use specialist skills, and more advanced link analysis technique, to uncover unknown fraud. They
need domain knowledge and experience to think like a criminal.

Let’s look again at some vehicle insurance claim data.

Loading so many cases in one chart makes it easy to spot ordinary claims (the Y-shaped structures dotted
around the chart) and highlights more complex, or potentially fraudulent claims that require further
investigation.

To get a different perspective of the same dataset, we simplify the visual model to show only the nodes

9
representing people.

At the same time, applying a social network analysis centrality measure highlights the most active
people within the network. Is there a reason Neville is involved in four separate claims?

Alternatively, we can look at the types of damage listed in a claim. This reveals possible claim inflation, a
common fraud tactic where policyholders claim for more damage than actually occurred:

Is there a reason why Fraser’s Mechanic is fixing so many off-side rear doors? Plotting the data on a map
reveals more unusual patterns:

10
The map view shows that several claimants traveled significant distances for repairs at Fraser’s, even
though there were mechanics much closer to home. Could Fraser’s be involved in an organized fraud ring?

We can see how flexible link analysis drives this investigative approach, so analysts can follow their
instincts when detecting unknown fraud.

11
Managing cybersecurity threats
A growing reliance on digital services has massively increased the risk of cyber attack in the financial
services sector. Every day, institutions collate terabytes of disparate information into centralized security
operations centers (SOCs). This data almost always has connections - between devices, accounts, events,
locations, or between malware signatures, threat intelligence, microservices, and so on.

Existing security information and event management (SIEM) systems are great at collating this
information, but they rarely have sophisticated link analysis functionality that helps analysts understand
connections. This leaves analysts overwhelmed by alerts they cannot respond to, and struggling to
understand the full implications of alerts that do get picked up.

Exploring data breach patterns with link analysis

Data breaches are a threat to all organizations, especially those in financial services who deal with large
amounts of sensitive and personal data. The potential for financial and reputational damage is huge.

The Veris Project collates and publishes the Verizon Data Breach report, detailing information about
data breaches, attackers, vectors and victims. We’ve visualized that information in a link analysis chart:

12
The time bar along the bottom of the chart shows activity and trends in the dataset over time, comparing
vectors and finding patterns. Let’s look at two vectors in more detail. Color-coded trend lines show that
Email is a lesser-used attack vector, but Basic Tech – defined here as LAN access of phone-related scams
– is more widely used, but decreasing.

‘Advanced tech’ – defined here as web application, remote access, backdoor, C2, command shell, VPN – is
the most widely used and is particularly favored by the Activist Group included in the dataset.

We can also search to find specific organizations, and size nodes by their connectedness, revealing which
have been attacked the most. For example, Microsoft has been very unlucky:

This is a simple example of the advantage of link analysis. In a single chart, we can review complex data
from different angles: attackers, attacks, victims, vectors and times, easily revealing patterns and trends in
a broader contextual view. The result is a faster route to data insight and more advanced analysis.

13
Understanding and mitigating AML risks
Regulatory compliance is a huge and essential undertaking for the financial services sector. From small
credit unions to multinational banks, everyone operates in an increasingly globalized system and complex
regulatory environment.

Anti-money laundering (AML) regulations require special attention. Organizations must create and
maintain AML policies and procedures to detect and prevent money laundering. The consequences of poor
or inadequate compliance are significant. They expose organizations to handling the proceeds of crime or
terrorism, result in severe financial penalties, and do lasting reputational damage.

Through our work with customers in the financial services sector, we’ve found that link analysis is an
essential part of a robust AML process. Let’s look at three ways link analysis supports AML activity.

Politically Exposed Persons (PEPs)

A PEP is somebody with a prominent public role in a state, institution or international body, and their
relations. Their position of power makes them vulnerable to corruption, and they need enhanced due
diligence.

Link analysis techniques are an intuitive way to perform initial and ongoing due diligence. It makes it easy
to understand the complex business, political and family connections, and how they evolve over time:

Using network visualization gives relationship managers and compliance teams a clearer view of a
PEP’s connections and financial activities. Having easy access to this information is vital for performing
initial due diligence to establish the legitimacy of sources of wealth, and on-going monitoring to detect
suspicious activity.

Beneficial Owners

Financial institutions must understand their customer’s ownership and control structures. Customer Due
Diligence (CDD) identifies the beneficial owners of a customer.

Organizational ownership structures can be complex. Mapping them out with link analysis tools removes
an arduous manual process and provides a clear picture of ownership and control:

14
It empowers analysts to quickly and easily scrutinize the impact of changing circumstances, e.g. mergers
and acquisitions, new majority shareholdings, transfer of control, changes to the organization’s board or
directorships, etc.

Correspondent banking relationship

Correspondent banking is when one financial institution provides banking services on behalf of another
institution, giving both parties wider reach across markets.

Often the correspondent bank may not have a direct relationship with the originator or the beneficiary
of the transaction. It’s difficult for these banks to detect and prevent the misuse of their correspondent
banking facilities.

Robust systems to identify high-risk customers and dubious transactions are essential for preventing
misuse of these services. Link analysis shows the correspondent relationships between banks, detangling
the possible risks involved.

15
In this model, nodes represent. They’re color-coded according to their relative risk, with links between them
weighted by total transaction value. This makes it easy to see the high value, high-risk transactions that
pass through the bank’s correspondent banking services.

This information can be aggregated and viewed on a map, providing a complete overview of a bank’s
exposure to potentially high-risk regions:

The risk model in this example is based on the banks, but more complex risk measures like debt exposure,
political events and historic trading positions would normally be used. Enhancing that data with an
interactive visualization tool makes it intuitive to explore and easy to understand.

16
Our toolkits
By joining the dots in data and uncovering complex and hidden activity, we’ve shown how interactive link
analysis and timeline visualization functionality helps financial services organizations to manage their
threats and risks.

Our toolkits, KeyLines, ReGraph and KronoGraph, make it easier and faster to build powerful interactive
visual analysis components. These are then deployed inside, or alongside, existing risk and threat
management platforms, providing an intuitive and fast way to explore complex risk and threat data.

Hundreds of organizations have already deployed applications built with our toolkits, including Cifas (the
UK fraud prevention authority), TripAdvisor, Fico, Aviva, Visa, JP Morgan Chase, Western Union, Allianz
and BAE Systems.

To learn more, or to register for a free trial, visit our website.

KeyLines ReGraph KronoGraph

is a graph visualization toolkit is a graph visualization toolkit is a toolkit for building timelines
for JavaScript developers for React developers that drive investigations.

Add graph visualization to your ReGraph’s data-driven API makes With KronoGraph it’s easy to build
applications that work anywhere, it quick and easy to add graph interactive, scalable timelines to
as part of any stack. visualizations to your React explore evolving relationships and
applications. unfolding events.

cambridge-intelligence.com USA +1 (775) 842-6665 UK +44 (0)1223 362 000

Cambridge Intelligence Ltd, 6-8 Hills Road, Cambridge, CB2 1JP