What are graphs?
A graph is a visual representation of a set of entities (nodes) and how they are related. Graph analytics focuses on examining relationships between entities. An entity can be f.ex. a company, a person or an address, and the connections between the are represented as edges, or relationships. Here is an example:
The illustration visualises two nodes and how they are related. For an investigator, this type of illustration is easy to interpret. To come to this type of visualisation, as most data are stored in tabular format. Data may also be stored across multiple siloed data stores, which makes it difficult to identify patterns across the different datasets.
How are graphs used to investigate financial crime?
We will look at one recent trend that was recently addressed by the Norwegian Police in their annual risk assessment - Accountants of criminal organisations.
According to their trend report, criminal actors enlist accountants to legitimize businesses engaged in economic crimes, including money laundering and tax evasion. These accountants employ tactics such as establishing intricate corporate structures to obscure ownership and complicate financial oversight.
For this example, let’s assume that we have access to the following data sources in the graph application:
- Corporate register
- Customer data
- Transaction data
- Online bank user logs
Our analysis will start with an investigation of a transaction monitoring alert that has flagged a large transaction for a newly established customer.
The newly established customer of Acme Bank is DarkCorp Ltd. It was their accountant, Anna Belle at BizAccount Ltd, that opened the account on behalf of DarkCrop. The graph below illustrates the relationship between BizAccount and DarkCorp in Acme Bank’s graph application.
.png)
The transactions that were triggered were credited to DarkCorp’s account two days after account opening. When the investigator explores the relationships in the graph for DarkCorp, they see this overview.
Funds are coming from SendingCorp Ltd and are immediately being transferred to two companies, EvilCorp Ltd and SketchyCorp Ltd. The nodes in red are not customers of the bank, so they therefore have limited information about these entities. However, there may be information in the public domain about these entities which we can lookup.
The investigator queries the corporate register for the number of employees and the accountant. The accountant is displayed as a relationship and the number of employees is displayed as a property on the relevant nodes.
What they see is that BizAccount is also the accountant for EvilCorp and SketchyCorp, so there may potentially be a relation between all the related parties. The investigator goes further to investigate whether there are other customers of the bank that may be related to any of the parties. With a few clicks, they identify transactions with SketchyCorp Ltd from another customer of the bank, SuperSeriousCorp Ltd. SuperSeriousCorp seems to have a legitimate transaction history with well known counterparts, but they transfer quite some funds abroad.
The investigator may decide to look at the login history for the different accounts. When looking up the most recent IP address of all the customers, he finds that the three customers logged in from the same IP address.
Although this scenario does not confirm any wrongdoing of the companies involved, it demonstrates how easy it is for investigators to identify and analyse relationships between companies and individuals. To determine whether this is actually suspicious, the investigator may need to understand the sources of funds and the purpose of the transactions, but that is significantly easier with all the relationships mapped in a graph.
Can I leverage my own data?
Organisations have vast amounts of data that can be used to investigate suspicious financial activity. However, the challenge is to enable investigators to leverage that data as part of their investigations. Here are some common challenges:
- Data is stored across multiple siloed platforms: Most data is stored in a way that prevents it from being analysed in relation to data from other sources.
- Data quality: Data may be incomplete. The internally available datasets might not contain all the necessary information. In order to paint a complete picture of a case, investigators will typically need to enrich internal datasets with external data.
- Real-time access: As many graph applications require data to be cleansed and ingested into a specific format in a graph database before being ready to use, it prevents organisations from using graph analytics as part of real-time investigations. It may take hours or days before data is pre-processed and ingested, and they are available in the graph platform.
How to get started?
There are multiple graph applications available on the market, both open source platforms and commercial models like Neo4j, Amazon Neptune, ArangoDB or Memgraph. All of them are graph databases, which require you to migrate your data to their database before being able to start analysing.
Then there is Convier. Convier enables you to perform graph analytics of more or less any data, no matter if you retrieve it from a tabular database, from your spreadsheets in Sharepoint or retrieving data from the corporate register through APIs. Want to give it a go? Let us know and we’ll give you an intro today.
