Skip to content

Alerts and SARs

Jump to bottom
hkanezashi edited this page Feb 25, 2020 · 11 revisions

Definitions of "Alert" and "SAR" in AMLSim

In AMLSim, an alert is a group of transactions and accounts. Transactions of AML typologies form a characteristic graph. An alert with reported fraudulent transactions and accounts is called "SAR" (Suspicious Activity Report). Some alerts are SARs and others are not (called "false alert").

All accounts involved in the SAR transactions are flagged SAR regardless of each of them is main account or not. Accounts involved in no alert transactions or only false alert transactions are flagged non-SAR.

SAR-Accounts

Alert Parameter File

Alerts (or SARs) are defined at an alert parameter file (alertPatterns.csv) like this:

The first row must be the header (column names). Here is the column name list.

  • count: Number of alert subgraphs to be generated (transaction sets)
  • type: Transaction type name (fan_in, fan_out, cycle...) as the AML typology
  • schedule_id: Transaction scheduling ID of the typology
    • 0: All member accounts send money in order with the same interval (number of days)
    • 1: All member accounts send money in order with random intervals
    • 2: All member accounts send money randomly
  • min_accounts: Minimum number of involved accounts
  • max_accounts: Maximum number of involved accounts
  • min_amount: Minimum initial transaction amount
  • max_amount: Maximum initial transaction amount
  • min_period: Minimum overall transaction period (number of days)
  • max_period: Maximum overall transaction period (number of days)
  • bank_id: Bank ID which member accounts belong to (optional: if empty, no limitation for the bank ID)
  • is_sar: Whether the alert is SAR (True) or false alert (False)

Here is an example of the alert parameter CSV file.

count,type,schedule_id,min_accounts,max_accounts,min_amount,max_amount,min_period,max_period,bank_id,is_sar
20,fan_in,0,4,6,2700,3000,10,30,,True
20,cycle,0,5,10,50,200,30,90,bank_a,False

The second row describes 20 SAR (fan-in) with following features.

  • The number of involved accounts for each transaction set is four to six (one beneficiary account and three to five originator accounts). The number of involved accounts will be determined randomly for each transaction set.
  • Each transaction amount is randomly determined in the range of 2,700 to 3,000.
  • All transactions finish in the range of 10 to 30 days, and the scheduling policy (schedule_id) is ordered (0).
  • Some transactions can be bank-to-bank because the bank ID (bank_id) is empty.
  • All alerts are SAR (is_sar = True) and all involved accounts are also flagged as SAR.

The third row describes 20 false-alert transactions forming cycles.

  • The number of involved accounts for each transaction set will be determined randomly in the range of five to ten.
  • Each transaction amount is randomly determined in the range of 50 to 200.
  • All transactions finish in the range of 30 to 90 days.
  • All transaction sets consist of internal-bank transactions among accounts whose bank ID is "bank_a".
  • All alerts are false-alert (is_sar = False) and all involved accounts are flagged as non-SAR.

The total number of SAR accounts is equal to the sum of populations of all SAR alerts. That means each SAR accounts is never involved in two or more SAR transaction sets.

How to find out SAR accounts and transactions from output CSV files

Accounts

The sixth column prior_sar_count of the account list CSV indicates whether the account is SAR (true) or non-SAR (false).

Transactions

The seventh column is_sar of the transaction list CSV or the third column is_sar of the alert transaction list CSV indicates whether the transaction is SAR (True) or non-sar (False).

Clone this wiki locally