SAS Anti-Money Laundering offers an alert scoring feature. The alert scoring feature provides you with a means to assign a priority score to active alerts. This enables you to better align team resources to improve your business efficiency by calculating which entity alerts represent the most risk to your institution. In this post, I’ll review the alert priority scoring process, and the jobs that are implemented as a part of this feature.

The alert priority scoring process is accomplished by two jobs: the fcf_aml_alert_enrich job and the fcf_aml_alert_scoring job.

Let’s first discuss the fcf_aml_alert_enrich job. The first part of this job is data extraction. The input parameters of this job define what is extracted depending on whether the input parameter’s value matches the value in the data.

There are default values for the fcf_aml_alert_enrich job input parameters (see the table below). The two parameters that I’d like to point out are lookback_window and txn_pull_window. The lookback_window parameter defines the number of past transactions to be stored for feature enrichment calculation, and the txn_pull_window parameter defines the number of days for past transactions (per entity) to be included. You can also filter alerts on the domain type (tm_domain) and choose the entity level for the statistical calculation of behavior (either at the Customer or Account level).

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

The fcf_aml_alert_enrich job retrieves both active and dispositioned alerts from the svi_alerts.tdc_alert (active alerts) and svi_alerts.tdc_alert_action (historical alerts) tables, as well as related transactional and entity-level information from the core tables.

After the data is extracted, the feature enrichment process begins.

Why do we enrich our features before plugging them into our alert scoring model? The simplest explanation is that our model will only be as good as the quality of data and features that it reads as input. In other words, by enhancing the separability of the classes, our machine learning model is more likely to perform well and produce meaningful answers.

SAS Anti-Money Laundering provides a set of predefined macros that perform various feature calculations and provide maximum flexibility for users to pass custom parameters to create several variations of a feature.

Some enrichment macros are used to calculate scenario-related features, such as the sum of cash deposits in the last N days. Other macros are used to calculate behavioral features, such as the max, min, and average of transaction count for the past N days, for a given account type and channel name.

The output of the fcf_aml_alert_enrich job is two enriched data sets. One data set contains the enriched active alerts (ACTIVE_ENRICH_ENTITY) and the other data set contains the enriched historical alerts (HIST_ENRICH_ENTITY).

The fcf_aml_alert_scoring job scores the active alerts present in ACTIVE_ENRICH_ENTITY by training a model using the HIST_ENRICH_ENTITY data set.

The fcf_aml_alert_scoring job can be configured to use either the out-of-the-box model or a user-developed model. When the model finishes scoring, the results are appended to alerts in a field named enrichment_json_doc. You can also view details about the model in the tdc_enrichment_field table.

To comply with regulatory requirements, all the model score history is stored persistently in the database.

It’s important to mention that to view the alert priority scores in SAS Visual Investigator, you must add the field via the Alerts grid through the strategy. You do not need to re-index for the scores to appear.

Now let’s look how to run these jobs in SAS Job Execution. Typically, the URL to access SAS Job Execution includes the name of the deployment domain, and then SASJobExecution with an ending slash (i.e. http://server/SASJobExecution/).

After you’ve signed into SAS Job Execution as an administrator user, in the Content panel on the left, you’ll navigate to SAS Content, Products, SAS Anti-Money Laundering, and then Jobs. Under Jobs, you first execute the fcf_aml_alert_enrich job and then the fcf_aml_alert_scoring job.

To run these jobs, you’ll right-click the job, and select Submit job.

It’s important to note that these jobs should be run after the alert service is done processing alert aggregation at the entity level. In other words, these jobs should be run after the AGP completes successfully.

To view more information about alerts and our SAS Anti-Money Laundering solution in general, please visit https://support.sas.com/en/software/sas-anti-money-laundering-support.html.

Find more articles from SAS Global Enablement and Learning here.