SU+ @ Strathmore University Library Electronic Theses and Dissertations This work is availed for free and open access by Strathmore University Library. It has been accepted for digital distribution by an authorized administrator of SU+ @Strathmore University. For more information, please contact library@strathmore.edu 2020 Detecting financial crimes using pattern recognition techniques: case of mobile money transactions. Eshiwani, Michelle Mercy Faculty of Information Technology Strathmore University Recommended Citation Eshiwani, M. M. (2020). Detecting financial crimes using pattern recognition techniques: Case of mobile money transactions [Thesis, Strathmore University]. http://hdl.handle.net/11071/12092 Follow this and additional works at: http://hdl.handle.net/11071/12092 https://su-plus.strathmore.edu/ https://su-plus.strathmore.edu/ http://hdl.handle.net/11071/2474 mailto:library@strathmore.edu http://hdl.handle.net/11071/12092 http://hdl.handle.net/11071/12092 Detecting Financial Crimes using Pattern Recognition Techniques: Case of Mobile Money Transactions By Michelle Mercy Eshiwani 112819 A Thesis Submitted to the Faculty of Information Technology in partial fulfillment of the requirements for the award of Master of Science in Information Technology. Master of Science in Information Technology Strathmore University March 2020 ii Declaration and Approval I Michelle Mercy Eshiwani declare that this research has not been submitted to any other University for the award of a Degree in Master of Science in Information Technology. This Thesis does not contain any content that was produced by another person except where due reference is made in the Thesis itself. Student Name: Michelle Mercy Eshiwani Sign: ________________________ Date: ________________________ Supervisor’s Name: Dr. Vincent Omwenga Sign: ________________________ Date: ________________________ iii Abstract Financial Crimes have evolved and gained complexity in the recent past owing to advanced technological adoption globally. As consumers have accepted new forms of service delivery that offer them convenience, affordability and easy access, criminals have also found new avenues of pushing their illegal funds or financing criminal activities without raising suspicion or being detected.It is therefore widely recognised that the prevalence of economically motivated crime in many societies is a fundamental threat to the development of world economies and their stability. This research aimed to develop a pattern recognition tool to analyze transaction patterns and detect suspicious transactions.This would in turn reduce the impact of financial crimes on mobile money transactions in terms of loss of revenue for both individuals, corporations and countries by safeguarding legitimate transactions while also tying any loose ends that facilitate the transfer of illegally acquired funds over legitimate channels.This research focused on the field of Pattern Recognition in identifying and analyzing fraud in mobile money transactions. The tool applied Statistical Pattern recognition using the K-Nearest Neighbor algorithm to accurately classify transactions as fraudulent or genuine. iv Table of Contents Declaration and Approval ............................................................................................................... ii Abstract .......................................................................................................................................... iii Abbreviations and Acronyms ........................................................................................................ xi Definition of Terms....................................................................................................................... xii List of Figures .............................................................................................................................. xiii List of Tables ............................................................................................................................... xiv Chapter 1: Introduction ................................................................................................................... 1 1.1 Background ...................................................................................................................... 1 1.2 Problem Statement ........................................................................................................... 3 1.3 Aim ................................................................................................................................... 3 1.4 Specific Objectives ........................................................................................................... 3 1.5 Research Questions .......................................................................................................... 3 1.6 Justification ...................................................................................................................... 4 1.7 Scope and Limitation ............................................................................................................ 4 Chapter 2: Literature Review .......................................................................................................... 5 2.1 Introduction ........................................................................................................................... 5 2.2 Mobile Money Transactions.................................................................................................. 5 2.2.1 Characteristics of Mobile Money Transactions .............................................................. 6 2.2.1.1 Instant transactions ...................................................................................................... 6 2.2.1.2 Seamless Integrations .................................................................................................. 6 2.2.1.3 Transactions ................................................................................................................. 6 2.2.1.4 Security ........................................................................................................................ 6 2.2.1.5 Transaction Charges .................................................................................................... 7 2.2.1.6 Transaction Limits ....................................................................................................... 7 v 2.2.2 Financial Crimes targeting Mobile Money Transactions ............................................... 7 2.2.3 Systems and Controls used to secure Mobile Money Transactions ................................... 8 2.2.3.1 System and Controls that Secure the Mobile Money Platform ................................... 9 Fraud Management System ..................................................................................................... 9 Access Security ........................................................................................................................... 9 2.2.3.2 System and Controls that secure Customer and Agent Transactions .......................... 9 Establishing User Identification .............................................................................................. 9 Confirmation Messages ........................................................................................................... 9 Prompt Response ..................................................................................................................... 9 Back rolling Transactions ...................................................................................................... 10 2.3 Characteristics of Financial Crimes .................................................................................... 10 2.3.1 Type of crime ................................................................................................................... 10 2.3.1.1 Fraud .......................................................................................................................... 10 2.3.1.2 Money Laundering .................................................................................................... 11 2.3.1.3Terrorist Financing ..................................................................................................... 11 2.3.2 Categories of victim...................................................................................................... 12 2.3.2.1 Members of the Public ............................................................................................... 12 2.3.2.2 Mobile Network Operator ......................................................................................... 12 2.3.3 Category of Criminals .................................................................................................. 12 2.3.3.1 Politically Exposed Persons (PEP) ............................................................................ 12 2.3.3.2 Rogue Insiders: Major and Petty ............................................................................... 12 2.3.3.3 Organised crime groups ............................................................................................. 13 2.4 Systems and Controls used to detect Financial Crimes in Traditional Financial Institutions ................................................................................................................................................... 13 2.4.1Transaction Monitoring ................................................................................................. 13 vi 2.4.2 Know Your Customer (KYC) and Customer Due Diligence (CDD) Systems ............. 13 2.4.3 Sanctions and watch-list monitoring ............................................................................ 14 2.4.4 Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) Compliance ............................................................................................................................ 15 2.4.5 Cyber-Security .............................................................................................................. 16 2.5 Effectiveness of Controls and Systems in Detecting Financial Crimes in Kenya .............. 16 2.6 Pattern Recognition ............................................................................................................. 17 2.6.1 Pattern Recognition Process in Suspicious Transaction Detection .............................. 17 2.6.1.1 Pre-processing ........................................................................................................... 17 2.6.1.2 Feature extraction ...................................................................................................... 18 2.6.1.3 Feature selection ........................................................................................................ 18 2.6.1.4 Classification ............................................................................................................. 18 2.6.1.5 Decision making process ........................................................................................... 19 2.6.2 Review of Pattern Recognition Techniques used to detect Financial Crimes. ............. 19 2.6.2.1 Supervised Techniques .............................................................................................. 20 Statistical Pattern recognition ................................................................................................ 20 Challenges with Statistical Pattern Recognition .................................................................... 20 2.6.2.2 Unsupervised Techniques .......................................................................................... 20 Template matching Pattern Recognition ............................................................................... 20 Challenges with Template matching Pattern Recognition .................................................... 21 2.6.2.3 Semi-Supervised techniques ...................................................................................... 21 Structural /Syntactic Pattern Recognition.............................................................................. 21 Challenges with Syntactic Pattern Recognition..................................................................... 21 2.7 Empirical Literature on Pattern Recognition in Detecting Financial Crimes ..................... 21 vii 2.7.1 A Conceptual Framework for Detecting Financial Crime in Mobile Money Transactions ............................................................................................................................................... 22 2.7.1.1 Proposed Framework ................................................................................................. 22 2.7.1.2. Success and Drawback ............................................................................................. 23 2.7.2 Predicting Fraud in Mobile Money Transfer ................................................................ 23 2.7.2.1 Proposed Framework ................................................................................................. 23 2.7.2.2 Success and Drawback .............................................................................................. 24 2.7.3 Fraud Detection in Mobile Money Transactions Using Machine Transactions Using Machine Learning .................................................................................................................. 25 2.7.3.1 Proposed Framework ................................................................................................. 25 2.7.3.2 Success and Drawbacks ............................................................................................. 25 2.8 Summary of Empirical Literature on Detecting Pattern Recognition in Detecting Financial Crimes ....................................................................................................................................... 25 2.9 Gap Analysis ....................................................................................................................... 27 2.10 Conceptual Framework ..................................................................................................... 28 Chapter 3: Research Methodology................................................................................................ 29 3.1 Introduction ......................................................................................................................... 29 3.2 Research Design .................................................................................................................. 29 3.2.3 System Development .................................................................................................... 29 3.2.3.1 Requirements ............................................................................................................. 30 3.2.3.2 Design ........................................................................................................................ 30 3.2.3.3 Development/Iteration ............................................................................................... 31 3.2.3.4 Testing ....................................................................................................................... 31 3.2.3.5 Deployment ............................................................................................................... 31 3.2.3.6 Review ....................................................................................................................... 31 3.2.4 System Analysis ........................................................................................................... 31 viii 3.2.5 System Design .............................................................................................................. 32 3.3 Target population and Sampling ......................................................................................... 32 3.4 Data collection..................................................................................................................... 32 3.5 Data Pre-processing............................................................................................................. 33 3.6 Data Analysis ...................................................................................................................... 33 3.7 Research Quality ................................................................................................................. 33 3.7.1 Reliability ..................................................................................................................... 33 3.7.2 Validity ......................................................................................................................... 33 3.7.3 Ethical Considerations .................................................................................................. 34 Chapter 4: System Analysis and Design ....................................................................................... 35 4.1 Introduction ......................................................................................................................... 35 4.2 Data Analysis ...................................................................................................................... 35 4.2.1 Transaction Count......................................................................................................... 36 4.2.2 Transactions types flagged as suspicious ..................................................................... 37 4.2.3 Handling Imbalanced Data ........................................................................................... 38 4.3 Requirements Analysis ........................................................................................................ 38 4.3.1 Functional Requirements .............................................................................................. 38 4.3.2 Non-Functional Requirements ...................................................................................... 39 (i) Usability...................................................................................................................... 39 (ii) Data Security .............................................................................................................. 39 (iii) Persistent Storage ....................................................................................................... 39 4.4 System Process .................................................................................................................... 39 4.5 Data Flow Diagrams............................................................................................................ 40 4.5.1 Context Diagram........................................................................................................... 40 4.5.2 Data Flow Diagram Level 1 ......................................................................................... 41 ix 4.5.3 Data Flow Diagram Level 2 ......................................................................................... 42 4.6 Data Model .......................................................................................................................... 43 4.7 Database Schema................................................................................................................. 43 Chapter 5: System Development and Testing ............................................................................... 45 5.1 Introduction ......................................................................................................................... 45 5.2 Detection Model Structure .................................................................................................. 45 5.2.1 Importing Transactional Data Source ........................................................................... 45 5.2.2 Data Processing ............................................................................................................ 46 5.2.3 Feature Extraction ......................................................................................................... 47 5.2.4 Training the Model ....................................................................................................... 47 5.3 Testing ................................................................................................................................. 48 5.3.1 Model Testing ............................................................................................................... 48 5.3.1.1 Confusion Matrix ....................................................................................................... 48 5.3.1.2 Classification Report ................................................................................................. 48 5.3.1.3 Area Under Receiver Operating Characteristic (ROC) ............................................. 49 5.3.2 System Testing ............................................................................................................. 50 Chapter 6: Discussion ................................................................................................................... 52 6.1 Introduction ......................................................................................................................... 52 6.2 Characteristics of mobile money financial transactional activities ..................................... 52 6.3 Effectiveness of financial crimes detection controls and systems ...................................... 52 6.4 Research on pattern recognition in detecting financial crimes ........................................... 52 6.5 Design and develop a tool for detecting financial crimes based on pattern recognition in mobile money transactions ........................................................................................................ 53 6.6 Testing the tool to detect a financial crime on a mobile money platform ........................... 53 Chapter 7: Conclusion and Recommendation ............................................................................... 54 x 7.1 Overview ............................................................................................................................. 54 7.2 Conclusion ........................................................................................................................... 54 7.3 Recommendations ............................................................................................................... 55 7.4 Future Works ....................................................................................................................... 55 References ..................................................................................................................................... 56 Appendix 1: Portion of Paysim Synthetic Dataset for Fraud Detection ....................................... 64 Appendix 2: Ethical Approval ...................................................................................................... 65 Appendix 3: Research License...................................................................................................... 66 Appendix 4: Turnitin Report ......................................................................................................... 67 xi Abbreviations and Acronyms AML - Anti-Money Laundering AML/CFT - Anti-Money Laundering/ Combating the Financing of Terrorism CDD - Customer Due Diligence CFT - Combating the Financing of Terrorism FIU - Financial Intelligence Units KYC - Know Your Customer ML - Money Laundering M-MONEY - Mobile Money MMT - Mobile Money Transactions MNO - Mobile Network Operator SIM - Subscriber Identification Module TF - Terrorist Financing xii Definition of Terms Financial Crimes - Financial crimes are categorized as financial abuse crimes thet are non-violent in nature but result in the loss of an individual or entity’s financial security (Jung & Lee, 2017). It encompases, among others Fraud, Money Laundering (ML) and Terrorist Financing (TF). Pattern Recognition -The science concerned with the classification of data into different categories based on similarities in already existing knowledge (Bishop, 2006). SIM- Subscriber identity module; refers to the smart card used in mobile phones. It carries the user’s identity for accessing the network and receiving calls and stores personal information, such as phone directory and short-message service messages received (Theodorou & Okong’o, 2019). Synthetic Data- Any production data not obtained by direct measurement and is considered anonymized. Created by stripping any personal information (names, license plates, etc.) from a real dataset so it is completely anonymized. Conceptually, synthetic data may seem like a compilation of “made up” data, but there are specific algorithms designed to create realistic data. Synthetic data can assist in teaching a system how to react to certain situations or criteria (Lopez- Rojas, 2016). PaySim Synthetic Mobile Money Transaction dataset- A dataset generated using the PaySim simulator that uses aggregated data from a private dataset to generate a synthetic dataset that resembles the normal operation of transactions and injects malicious behaviour to later evaluate the performance of suspicious activity pattern recognition methods (Lopez-Rojas, 2016) xiii List of Figures Figure 2.1: Customer Due Diligence Process (Fisher, 2017) ....................................................... 14 Figure 2.2: Risk based approach in sanction screening (FinScan, 2016) .................................... 15 Figure 2.3: Pattern Recognition Process (Liu, SUn, & Wang, 2006) .......................................... 17 Figure 2.4: Unsupervised and Supervised Classification (WGBIS, 2014) ................................... 19 Figure 2.5: Conceptual for detection of M-money financial crime .............................................. 23 Figure 2.6: Fraud Detection Framework ....................................................................................... 24 Figure 2.5: Conceptual Framework .............................................................................................. 28 Figure 3.1: Agile System development ......................................................................................... 30 Figure 4.1: Transaction count per type ......................................................................................... 37 Figure 4.2: Transaction types flagged as suspicious ..................................................................... 37 Figure 4.3: Handling Imbalanced Data ......................................................................................... 38 Figure 4.4: System Architecture ................................................................................................... 40 Figure 4.5: Context Diagram ........................................................................................................ 41 Figure 4.6: Data Flow Diagram Level 1 ....................................................................................... 42 Figure 4.7: Data Flow Diagram Level 2 ....................................................................................... 42 Figure 4.8: Data Model ................................................................................................................. 43 Figure 4.9: Database Schema ........................................................................................................ 44 Figure 5.1:Financial Crime Detection Model ............................................................................... 45 Figure 5.2: Importing Data ........................................................................................................... 46 Figure 5.3: Data Compressing ...................................................................................................... 46 Figure 5.4: Feature Extraction ...................................................................................................... 47 Figure 5.5: Split Data .................................................................................................................... 47 Figure 5.6: Training the model ..................................................................................................... 48 Figure 5.7: Confusion Matrix ....................................................................................................... 48 Figure 5.8: Classification Report .................................................................................................. 49 Figure 5.9: ROC Graph ................................................................................................................. 49 Figure 5.10: Applying date range to filter flagged transactions ................................................... 50 Figure 5.11: Output of flagged transactions ................................................................................. 51 file:///C:/Users/eshiw/Desktop/DEFENSE/Ammendment/MICHELLE%20ESHIWANI%20THESIS.docx%23_Toc46042665 file:///C:/Users/eshiw/Desktop/DEFENSE/Ammendment/MICHELLE%20ESHIWANI%20THESIS.docx%23_Toc46042667 file:///C:/Users/eshiw/Desktop/DEFENSE/Ammendment/MICHELLE%20ESHIWANI%20THESIS.docx%23_Toc46042668 xiv List of Tables Table 2.1: Possible vulnerabilities for different risk types for M-Money transactions (Solin & Zerzan, 2010) .................................................................................................................................. 8 Table 2.2 Summary of Empirical literature on Detecting Financial Crimes using Pattern Recognition. .................................................................................................................................. 26 Table 4.1 Summary of Variables (Kang, 2019) ............................................................................ 35 . 1 Chapter 1: Introduction 1.1 Background Financial crimes have been recognized as a global challenge with impactful economic and social ramifications.Jung & Lee, (2017) categorized financial crimes as financial abuse, that is non- violent in nature but results in the loss of an individual or entity’s financial security,with the potential to jeopardize global economies and homeland security. These crimes include, among others fraud, Money Laundering (ML) and Terrorist Financing (TF). These crimes thrive on relevant volumes of financial transactions to conceal the identity, source, and destination of illegally gained money. Experts estimate that up to $2 trillion of illicit proceeds from human trafficking, bribery and fraud flow through legitimate financial system (Didimo & Liotta, 2014). Authorities are therefore constantly looking out for new ways and means to track down and prevent these crimes, just as much as criminals are developing innovative tactics in order to stay ahead. In a bid to tackle financial crimes, most governments have at the local level established special cross collaborative investigative agencies known as (FIUs).They conduct money laundering (ML), terrorism financing (TF) and asset tracing investigations (UNCTAD, 2018). As one of the newest forms of financial services, Mobile Money, initially enabled people to make basic cash transactions on their phones. However, increased popularity of mobile money services has fuelled major growth in sectors of the economy, including financial institutions, retail and wholesale traders, agriculture, education and health.Most service providers have integrated mobile money platforms into their payment systems owing to their convenience and speed (Rolfe, 2019). In Kenya , a global trend setter for mobile money services ,registered mobile money customers are able to receive services such as mobile credit, sports betting, insurance, cross-border remittances, bill and utility payments, airtime top-ups, and savings from the comfort of their mobile wallets. The Central Bank of Kenya (CBK) reported that the sum cash transferred using mobile money and payment services topped KES2.87 trillion ($27.7 billion) in the period to end- August of 2019, up 10.3 per cent on the same period of 2018.This means that Kenyans moved nearly half the equivalent of the country’s gross domestic product (GDP) through their mobile 2 phones in the last financial year, underlining the growing importance of digital wallets to the economy (Pham, 2019). While trying to effetively cater to customers evolving needs, mobile money has unfortunately also become a conduit for financial crimes. Owing to high transaction speeds, reduced physical contact with agents (except for cash deposits or withdrawals) and layering multiple transactions in small margins,Mobile Money Providers are often playing catchup to secure transactions as well as their customers from the complex risks they pose (UNCTAD, 2018). Mobile Network Operators (MNOs), the providers of mobile money platform services such as M-pesa, Airtel Money, T-Kash and Equitel, are mandated by the Central Bank of Kenya and the Communications Authority (CA) who review the systems and regulations in place to safeguard transactions and customers and ensure that they meet the “highest global standards”. MNOs are subject to the Proceeds of Crime and Money Laundering Act, 2012 and are therefore mandated to regularly file reports on suspicious with the country’s Financial Reporting Centre. Besides monitoring all their transactions to detect and report suspicious activity, MNOs state that their partners (in the case of both local and international remittances) are equally required to undertake due diligence on remitters in line with their respective countries’ fraud and anti-money laundering regulations (Masinde , 2017). According to Masinde (2017), Monitoring and investigating suspicious transactions within mobile money transactions remain difficult despite some checks already in place. This is because criminals have utilized the fact that mobile money is less regulated in comparison to traditional financial institutions to carry out their business.Unlike banks where one cannot transact beyond a certain threshold without the approval of the central bank, mobile money customers can transact large sums of money using multiple SIM cards and at various agents undetected.This brings into question the integrity and sustainability of mobile money transactions particularly as the entire value of funds moved through these platforms rises. A Failure detect and deter fraudulent transactions reduces any apparent consumer advantage gained as well as financial inclusion growth in these markets. Furthermore, regulatory authorities as a result may be less disposed to allow the necessary space to expand and diversify innovations on mobile financial services if they view MNOs internal controls as insufficient in detecting and mitigating financial crimes (Buku & Mazer, 2017). 3 1.2 Problem Statement According to KPMG (2019), financial crimes are often concealed in complex patterns, to hide the motive, source of funding and even the identity of the criminal. As is the case of fraudulent transactions on mobile money platforms, they often go undetected, because their characteristics are not a ‘one size fits all’ as is mandated by the Anti-Fraud ,AML and CFT guidelines that that financial institutions must adhere to. Standard rule-based systems currently in place to monitor transactions most often only identify these crimes after they have occurred, and the perpetrators have been able to clean up any traces of evidence. This is because the method used by the criminals do not meet the predefined system threshold that would have them flagged. Applying pattern recognition to mobile money transactions for continuous monitoring was necessary especially in identifying patterns in customers transactional activities. To act as a benchmark of expected patterns of legitimate transactional behaviour, used to accurately detect unusual or potentially suspicious transactions. 1.3 Aim The purpose of this research was to develop a tool for detecting financial crimes in mobile money transactions using pattern recognition to differentiate between genuine and suspicious transaction. 1.4 Specific Objectives (i) To investigate the characteristics of mobile money financial transactional activities. (ii) To review the effectiveness of current financial crimes detection and controls systems. (iii)To analyse Pattern recognition as a tool for detecting financial crimes in Mobile Money Transactions. (iv) To design and develop a tool for detecting financial crimes based on pattern recognition in mobile money transactions. (v) To test the ability of the tool to detect a financial crime on a mobile money platform. 1.5 Research Questions (i) What are the characteristics of mobile money transactional activities? (ii) How effective are current financial crimes controls and systems? 4 (iii)How is Pattern recognition applied to financial crime detection? (iv) What pattern recognition techniques can be applied in crime detection for mobile money transactions? (v) How effective are pattern recognition techniques in detecting financial crimes on mobile money transactions? 1.6 Justification As the total value of funds transferred through these mobile money platforms continue to increase, there is significant seriousness in the need for early detection and investigation of financial crimes. Adequate preventative measures must be in place to ensure the integrity and sustainability of these transactions, which are currently the biggest conduit of financial crimes in Kenya. The presence of such a system would ensure continued consumer benefit and continued financial inclusion gains. Furthermore, allowing regulators to encourage more innovations to expand and diversify mobile money services. 1.7 Scope and Limitation This research was entirely focused on identifying the nature of financial crimes in mobile money transactions. The study looked into statistical pattern recognition tools to facilitate the analysis and detection of fraud in mobile money transactions in Kenya. 5 Chapter 2: Literature Review 2.1 Introduction This chapter focuses on the relevant literature that aids in understanding the research problem: detecting suspicious transactions through pattern analysis of large volumes of data in mobile money transactions. It further presentes the various empirical studies and theoretical frameworks of technologies applied or proposed in detecting suspicious transactions in various financial transactions. 2.2 Mobile Money Transactions Subia and Martinez (2014) described Mobile Money as an ecosystem of various types of financial activities or services transacted on a mobile device.The service facilitates the transfer of cash to the digital wallet, while encouraging the adoption of many more innovative services built on its foundations. In Kenya, Mobile money is a service provided by Mobile Network Operators (MNO) such as Safaricom (M-pesa), Airtel Kenya (Airtel Money) and Telkom Kenya (T- Kash) and regulated by the Communications Authority of Kenya. GSMA (2017) acknowledges that since being adopted, especially in developing countries, Mobile Money has greatly contributed to economic growth and financial inclusion of people and communities who were “unbanked”.Individuals from the informal sector have been provided with easily accessible and affordable financial services that were previously the preserve of those in the formal working sector . Mobile money services are categorized according to the type of transactions and how they should be processed. They are currently categorized as. (i) Mobile payments- A service that enables registered vendors to receive payments for the purchase of goods and services from customers using their mobile wallet (on condition that available balance is enough) via mobile device. This service extends to utility payments, retail payments, government collection and payments etc. (Bettcher & Mihaylova, 2015). (ii) Mobile transfer -A service that allows registered customers to send or receive money to or from any customer registered on the same network or across networks on condition that interoperability is enabled. For a transfer to take place ,a customer must either deposit 6 cash into their mobile wallet through a registered Mobile Network agent or via USSD from bank (Ombaka, 2018). (iii)Mobile banking- Mobile banking allows customers of financial institutions (banks ,Saccos, insurance firms) to transact form their accounts to mobile money wallets and vice versa via USSD or integrated applications.Customers have access to a wide array of financial services deposits ,withdrawals ,utility payment (Bettcher & Mihaylova, 2015) . 2.2.1 Characteristics of Mobile Money Transactions According to Lal & Sachdev (2015), mobile money services globally have many similarities in their approach to service delivery. Highlighted in the subsections below are the distinct characteristics that define mobile money transactions. 2.2.1.1 Instant transactions Transactions are processed within seconds, as opposed to within hours or business days as is the case with traditional FIs. Instant speeds allow payments flexibility, making funds available, while increasing the control of personal and business funds (Valchev, 2019). 2.2.1.2 Seamless Integrations Integration between merchants, institutions and MNOs has been improved to ensure seamless flow of transactions to business wallets, banks and institutions (Valchev, 2019). 2.2.1.3 Transactions Except for cash deposits or withdrawals which are dependent on the presence of agents, all other transactions do not require any third-party intervention. 2.2.1.4 Security Mobile wallets are secured by a range of robust technologies, such as point-to-point encryption, tokenization, passwords, biometrics, out-of-band authentication, one-time password (OTP) via SMS, security questions.In Kenya customers must input a unique four pin code to successfully complete a transaction. 7 2.2.1.5 Transaction Charges These are operational charges that are applied to user accounts based on the amount of cash being transacted. In Kenya transaction charges are set at the discretion of MNOs with the guidance of the Communications Authority (CA) and are changed successively depending of the amount range being transacted (Bahia & Muthiora, 2019). 2.2.1.6 Transaction Limits Transaction limits refer to the threshold amount that Mobile Money customers can transact either per given transaction, daily, weekly and monthly. These limits are set by the regulating authority for AML/CFT tracking (Bahia & Muthiora, 2019). 2.2.2 Financial Crimes targeting Mobile Money Transactions Anti-money laundering, fraud and Combating the financing of Terrorism regulations/guidelines in place for Traditional Financial Institutions may not legally apply to the new industry entrants that facilitate m-money because their core business is communication services. The m-money market is generally newer than financial crimes legislation in many countries, and governments did not consider m-money and its unique operations when drafting these laws (Chatain, et al. 2011). Poor oversight on a regulators part intensifys anonymity, elusiveness, rapidity (risks posed by mobile money transactions). According to Chastain, et al. (2011), further complicating the problem is determining the right government authority to oversee m-money. In Kenya, Mobile Money is regulated by the Communications Authority and not the Central bank of Kenya. In Kenya, mobile money is regulated by the Communications Authority of Kenya (CA). However, there is a push by Members of Parliament to delink mobile money services from their parent telecommunication firms and be registered as separate commercial banks. If the law makers have their way, the telecommunications regulator, (CA), would be compelled to ensure that mobile money services like Safaricom’s M-Pesa, Airtel Money and Telkom’s T-Kash are licensed as banks hence come under the jurisdiction of the Central bank of Kenya and its regulation (Mutai, 2019) . A sample of potential vulnerabilities at each stage of M-money transactions for the different risk category is provided in Table 2.1 below. 8 Table 2.1: Possible vulnerabilities for different risk types for M-Money transactions (Solin & Zerzan, 2010) General risk factor Example of vulnerabilities for different transactions Deposit Transfer Withdrawal Anonymity A criminal can open Multiple accounts, with falsified identification documents and using different identities to hide the true nature of deposits. Mobile money agents are not adequately equipped to verify the authenticity of a customer’s identification documentation during sim card registration. Suspicious names are not recognised by the system, making it a safe zone for known criminals and terrorists. withdrawal of illegitimate or terrorist-linked funds is possible especially where a mobile money agent shows laxity in in verifying a customer’s identification during the transaction. Mobile money agents are not adequately equipped to verify the authenticity of a customer’s identification documentation during sim card registration. Elusiveness Criminals can openly redirect illicit funds into multiple accounts. They can carry out multiple transactions to confuse the money trail and the true origin of funds. Redirected funds from multiple accounts can be withdrawn at the simultaneously. Rapidity Illicit funds can be quickly as is a characteristic of mobile money transferred to different accounts. Transactions occur in instantaneously, hence difficult to flag and screen for suspicion of terrorist financing or money laundering. Just as in deposits, withdrawals are also done fast from different accounts. Poor oversight Without proper guideline and regulation, mobile money services pose a great systemic risk. 2.2.3 Systems and Controls used to secure Mobile Money Transactions This section discussed the systems and controls systems and controls that were in place to secure mobile money platforms and agents and customers. 9 2.2.3.1 System and Controls that Secure the Mobile Money Platform Fraud Management System MNOs have implemented fraud management systems to detect fraudulent transactions based on geolocation technologies that flagged transactions based on crime hotspots such as prisons (Field, 2012). Access Security Generally, MNOs require customer authentication for a transaction to be executed. Access security can be in the form of inputting a preset pin, OTP-based authorizations (from third party applications), Mobile Station International Subscriber Directory Number (MSISDN) for international remittances and Public Key Infrastructure (PKI) for authenticating users and devices during online transactions (Mahindra Comviva, 2016). 2.2.3.2 System and Controls that secure Customer and Agent Transactions This section described the basic security controls commonly available on the customer and agent side. Establishing User Identification When a user registers to be a Mobile money customer, they are issued with a PUK (Personal unlocking key) which is unique to every user. The PUK is used to reset user PIN (Personal Identification Number) when they forget it. A customer also gets a four digit numerical unique PIN which can be changed the PIN from the M-PESA Tool Kit for a charge (Mule, 2015). Confirmation Messages Once a customer performs a withdrawal from an agent, a confirmation message is sent to both the Agent and customer to verify the transaction details after which cash is released. For a deposit, a customer first hands over the cash to the agent who then goes ahead to deposit the cash to the customers mobile wallet both parties also receive similar confirmation messages (Mule, 2015). Prompt Response Once money is withdrawn, a customer receives a prompt whether they would like withdraw money from that agent. This prevents customers from withdrawing money from a wrong agent. 10 When withdrawing money, a customer must input the correct agent number to ensure the transaction is successful (Mule, 2015). Back rolling Transactions A customer has the ability to roll back a transaction if deposited into a wrong account.The reversal process is done within seconds after the transaction . 2.3 Characteristics of Financial Crimes Croall (2005) agreed that financial crimes are the objects or the target of illegal and often prohibited means to obtain the personal benefit from the illegal conversion of the ownership of the property of others.The are charaterised by type of crime, victim and perpetrator as elaborated in the subsections below. 2.3.1 Type of crime 2.3.1.1 Fraud Defined as false representation for a criminal’s personal gain, where fraudsters doorstep tactics to target their victims via communication media such a phone, email, or communication sites. Consumer affecting frauds: Consumers fall victim to frauds such as identity theft, social engineering scams, rogue agents, loss from incorrect transfer to inadvertent beneficiaries who are unwilling to relinquish the cash (Buku & Mazer, 2017). Agent affecting frauds: Agents also fall victim to frauds such as float loss in the agent’s account arising from unauthorized use, compromised PINs and ploys involving impersonation of MNO staff to gain unlawful access to the agent’s float account. Customers can also perform withdrawal reversal fraud or deposit fake currency (Buku & Mazer, 2017) . Internal Fraud in MNOs: Internal fraud has caused substantial losses for MFS providers, while putting at risk user accounts while raising integrity concerns for the system. For example, in Kenya, Safaricom employees facilitated fraud on the platform leading to loss of clients’ money running into millions of shillings (Kiplagat, 2020). According to Buku and Mazer (2017) insufficient internal controls and audit processes, poor corporate constructs, a lack of employee awareness on fraud, and inadequate whistle blowing 11 systems are among the significant contributors to internal fraud. 2.3.1.2 Money Laundering Money Laundering (ML) as defined by Anosh & Ahmadi (2015) ,is the method by which criminals try to legitimize their profits from criminal activities (drug trafficking, people trafficking, embezzlement, corruption etc) into the legitimate financial world. The FATF produced guidelines for financial institutions on how such suspicious transactions should be handled. 2.3.1.3Terrorist Financing Terrorist financing involves the solicitation, gathering or delivery of resources with the intention that they may be used to support terrorist actions or groups. More precisely, according to the International Convention for the Suppression of the Financing of Terrorism, a person commits the crime of financing of terrorism "if the person by any means, directly or indirectly, unlawfully and wilfully, affords or gathers funds with the intent that they should be used, in full or in part, in order to carry out" an offense within the scope of the Convention.The primary goal of individuals or entities involved in the financing of terrorism is therefore not necessarily to conceal the sources of the money but to conceal both the financing and the nature of the financed activity (IMF, 2012). Omondi (2019) wrote on court proceedings in Kenya against suspected masterminds of a terrorist attack at dusitD2 hotel in Nairobi that claimed 21 lives have exposed vulnerabilities in mobile money transfer services. Two Suspected terrorists had registered several mobile phone numbers that were used to receive Ksh. 109 million collectively to finance terrorist activities. The cash would then be withdrawn through an M-Pesa till numbers at the Diamond Trust Bank Eastleigh Branch.The money would then be funneled to the terrorist group ‘Al Shabaab’ in Somalia who claimed responsibility for the attack. One of the accused, a registered Mpesa agent registered a total of 52 fake accounts in a span of two months to aid in distributing these funds. A third defendant in the case , the bank Manager was faulted for her failure to flag the large volumes of transactions as suspicious, given that there are regulations which require a Mobile Payment Service Provider or its agent to set transaction or payment account limits. According to regulations, any account exceeding a daily turnover of KSh100,000 and any personal account 12 transacting more than KSh300,000 per week should be investigated.The Agent and the MNO however did not flag these accounts (Omondi, 2019). 2.3.2 Categories of victim This section looked at the nature of the criminal or victim that makes prosecution and punishment more or less likely. 2.3.2.1 Members of the Public Reporting and successive investigation of financial crimes such as fraud are subject to the number of victims involved and the quantity of money in question. The greater the number of individuals affected or the money lost the more likely the crime is to be investigated .Also taking into consideration the education background, age and economic standing of the victim (Croall, 2005). 2.3.2.2 Mobile Network Operator If the fraud is perpetrated internally, and the MNO is the victim, investigations on the suspicious transactions will be done internally to maintain customer confidence. According to Buku and Mazer (2017) insufficient internal controls and audit processes, poor corporate constructs, a lack of employee awareness on fraud, and inadequate whistle blowing systems are among the significant contributors to internal fraud. 2.3.3 Category of Criminals This section discussed the categories of individuals or groups of individuals who perpetrate and profit from financial crimes. 2.3.3.1 Politically Exposed Persons (PEP) A Politically exposed Person is rated as an individual with a high risk of bribery, corruption, and money laundering by virtue of their position within in the state. This term was coined by FAFT who recommend that enhanced monitoring of accounts should be implemented for such individuals (Croall, 2005). 2.3.3.2 Rogue Insiders: Major and Petty Insider frauds suffered by MNOs such as employees colluding with criminals to defraud customers by illegally sharing out their transactional data. Such cases often question the ability 13 of MNOs to secure customers transactions as well as attract non-compliance fines of not putting in place adequate measure to cater to internal and external crimes (Croall, 2005). 2.3.3.3 Organised crime groups This section refers to a network of a criminals who stage well organised attacks on m-money customers and agents. Using scams such as social engineering, these criminals take advantage of the naivety of their victims to defraud them of money in their mobile wallets (Buku & Mazer, 2017). 2.4 Systems and Controls used to detect Financial Crimes in Traditional Financial Institutions Traditional financial institutions have the advantage of experience in terms of the systems and controls they implement to secure transactions and monetary compliance. The following are the systems and controls currently in place in place for detecting financial crimes. 2.4.1Transaction Monitoring Transaction monitoring systems facilitate Financial Institutions in monitor customer transactions for AML/CFT risk. They combine and analyze this information together with a customers’ account profile, to determine a customer’s profile, risk levels, and predicted future activity. The transactions monitored can include cash deposits, withdrawals,payments and transfers, (Comply Advantage, 2018). 2.4.2 Know Your Customer (KYC) and Customer Due Diligence (CDD) Systems Know Your Customer (KYC) and Customer Due Diligence (CDD) is an area of regulatory requirement. These systems and controls allow FIs to focus their compliance efforts on determining their customers risk index. Figure 2.1 below elaborates the processes of KYC and CDD. 14 Figure 2.1: Customer Due Diligence Process (Fisher, 2017) During customer onboarding, KYC and CDD are focused on the authentication and substantiation of customer identity to establish their risk rating. Continuous due diligence requires persistent monitoring of customer transactions to detect suspicious activities Enhanced KYC systems should ideally integrate from end-to-end the customer process framework covering on-boarding requirements, continuous risk monitoring and reporting (Chartis Research, 2015). 2.4.3 Sanctions and watch-list monitoring Sanctions screening is a control employed within (FIs) to detect, prevent and manage sanctions risk as per regulatory compliance. Screening is undertaken as a Financial Crime Compliance (FCC) programme, to assist in identification of sanctioned individuals and organisations and the illegal activity to which a financial organization can be exposed.Reference databases for Money Laundering, corruption and terrorism are used to rate customers based on police reports ,news articles etc. as linked to them. (Wolfsberg Group, 2019). The Wolfsberg Group (2019) advise that FIs must continuously update watchlists and ensure low false (positive or negative) reporting rates while updating the information and applying it in real time. An excessively cautious system can lead to high false positive reporting while systems that only screen for direct matches have a high false negative reporting. Figure 2.2 displays the risk approach used to screen customers. 15 Figure 2.2: Risk based approach in sanction screening (FinScan, 2016) Financial institutions are fined for sanctions violations,therefore forcing them to be constantly up to date with all sanctions, fraud or trade monitoring guidelines, in any jurisdiction through which they carry out business (Ernst and Young, 2016). 2.4.4 Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) Compliance Money laundering is the process by which the illicit source of income generated by criminal activities is concealed to hide the link between the funds and the original crime. On the other hand, Terrorist financing involves raising and processing assets to supply terrorists with funding to facilitate their criminal activities (Owuor, 2016). Anosh and Ahmadi (2015) discussed that while these two crimes differ in many ways, they often exploit the same vulnerabilities in financial systems that allow for an inappropriate level of anonymity and non-transparency in the execution of financial transactions. Due to the sensitivity of financial custodianship, all traditional Financial Institutions in Kenya are mandated by by the Central bank of Kenya to comply with FATF (Financial Action Taskforce) Recommendations in handling their AML and CTF processes. FATF is an internationally endorsed global standard for implementing effective AML/CFT measures to facilitate transparency, traceability, and accountability within the banking industry 16 (FATF*GAFI, 2010). (i) The activities undertaken by the taskforce are: (ii) Setting international standards to combat money laundering and terrorist financing. (iii)Assess and monitor compliance with the FATF standards. (iv) Conduct typologies studies of money laundering and terrorist financing methods, trends and techniques. (v) Responds to new and emerging threats, such as proliferation financing. These activities increase the transparency of a financial system while providing members with the capacity to successfully counter money launderers and terrorist financiers (Financial Action TAsk Force FATF*GAFI, 2010). 2.4.5 Cyber-Security Financial institutions are frequently stepping up their efforts in responding to occurrences that are often directed at multiple channels, products and systems to improve their cyber security controls (Buku & Mazer, 2017). 2.5 Effectiveness of Controls and Systems in Detecting Financial Crimes in Kenya Financial crimes vary depending on the industry that an organisation operates in, their jurisdictional risk, the products and services they offer and how mature their compliance operations are. Controls within financial services have enforced a semblance of decorum amongst most customers in terms of compliance and customer sensitization . However, there is a constant need to evaluate and evolve to cater to the complexity and rapidity of financial crime evolution (Financier WorldWide, 2018). Many firms have underinvested, or not made their AML/CFT programs a firm priority. Therefore, allowing criminals to thrive on their illegitimate profits. It is not enough to implement emerging and innovative technology such as transaction monitoring tools, also improving the quality of data and leveraging public sources of data for validation, are all critical strategies in successfully detecting suspicious transactions. 17 2.6 Pattern Recognition Pattern Recognition is the science or process concerned with the classification of data into different categories based on similarities in already existing knowledge. Its ultimate goal is to optimally extract patterns based on certain conditions and to separate one class from the others (Bishop, 2006). 2.6.1 Pattern Recognition Process in Suspicious Transaction Detection The pattern recognition process is composed of preprocessing, feature extraction, and classification as illustrated in figure 2.3. A data source or dataset is preprocessed, so that it becomes suitable for subsequent sub-processes. The next step is feature extraction, in which, the dataset is converted into a set of feature vectors which are supposed to be representative of the original data. These features are used in the classification step to separate the data points into different classes based on the problem (Karyakarte1 & Savant, 2019). 2.6.1.1 Pre-processing Tang (2014) defines the role of preprocessing as segmenting the unique pattern from the background. It is used to reduce variations and produce a more consistent set of data. Preprocessing should include some noise filtering . Figure 2.3: Pattern Recognition Process (Liu, SUn, & Wang, 2006) 18 2.6.1.2 Feature extraction A feature is the measure of observable data corresponding to a pattern.Feature extraction is used to overcome the problem of high dimensionality of the input set in pattern recognition. As in figure 2.3 above, the input data is transformed into a reduced representation set of features, also termed as feature vector. Only the relevant information from the input data should be extracted in order to perform the desired task using this reduced representation instead of the full size input (Karyakarte1 & Savant, 2019). Features extracted must be easily computed, robust, rotationally invariant, and insensitive to various distortions. Then optimal features subset that can achieve the highest accuracy results should be selected from the input space. 2.6.1.3 Feature selection According to Guyon and Elisseeeff (2003),the purpose of feature selection is categorised into three processes: (i) Refining the detection operation. (ii) Delivering faster and more affordable detectors. (iii) Providing a better understanding of the underlying process that data was generated from. The features extracted at extraction phase are put through a filtering process to acquire a more discriminative feature vector. At this point the physical meaning of the original features is maintained. The feature vector available at the end of this step is the training data . 2.6.1.4 Classification According to Sharma and Kaur (2013), classification is the process of of assigning a label to an input item with the help of an algorithm. The input items are the feature vectors produced after feature selection. As illustrated in figure 2.4, if a classification algorithm acknowledges a refined feature set from the feature selection step as input, then it is a supervised classification algorithm.The classifiers that contain the knowledge of each pattern category and also the criterion or metric to discriminate among patterns classes.However in the case of an unsupervised classification 19 algorithm,if the system parameters are adapted using only the information of the input, and constrained by prespecified internal rules. It attempts to find inherent patterns in the data that can then be used to determine the correct output value for new data instances (Karyakarte1 & Savant, 2019). Figure 2.4: Unsupervised and Supervised Classification (WGBIS, 2014) 2.6.1.5 Decision making process The input of this stage is the classified data (supervised or unsupervised classification) ,and provides system users with reliable results to make decisions on how to proceed with flagged transactions (Sharma & Kaur, 2013). 2.6.2 Review of Pattern Recognition Techniques used to detect Financial Crimes. Pattern recognition techniques are divided in to three categories i.e., Supervised pattern recognition techniques, semi-supervised pattern recognition techniques and unsupervised pattern recognition techniques. (Asht & Dass, 2012). 20 2.6.2.1 Supervised Techniques Supervised pattern recognition uses supervised learning algorithms to create classifiers from various object classes (Gujral et al., 2019). Statistical Pattern recognition Statistical pattern recognition systems are extensively because of their simplicity, i.e. they are based on statistics and probabilities. Traits are recoded in form of numbers which are then applied to create a pattern. Each pattern is therefore represented by a specific multidimensional vector, used for pattern recognition (Duin et al., 2002). The methods/algorithms that are applicable for statistical pattern recognition include; Naïve- Bayes (NB-C), Linear Discriminant Analysis (LDA-C), Kernel Classifier (Kernel-C), Least Mean Square Linear Classifier (Linear LMS-C), Least Mean Square Quadratic classifier(PolQuadraticLMS-C), Multinomial logistic regression model with a ridge estimator(Logistic-C) and Particle Swarm Optimization - Linear Discriminant Analysis (PSOLDA-C). Challenges with Statistical Pattern Recognition Issues with representation (similarities), feature reduction and classifier complexity(adaptation) and classifier training and imbalanced data (generalization) can easily impact on the precision of the pattern recognition model (Aguilar, 2004). 2.6.2.2 Unsupervised Techniques Unsupervised classification finds hidden features in unlabeled data using clustering or data segmentation techniques (Gujral et al., 2019). Template matching Pattern Recognition Template matching is generally used in image processing .This describes how patterns are identified by clusters of pixels or curves to localize and identify shapes in image. Thus, patterns are identified in form of templates (Raj et al., 2015). 21 Challenges with Template matching Pattern Recognition This technique is only suitable for matching image patterns and not transactions. 2.6.2.3 Semi-Supervised techniques Semi-supervised techniques define a more complex relationship between elements. Structural /Syntactic Pattern Recognition Structural or syntactic pattern recognition focuses on the identification of a hidden pattern and is achieved by matching its symbolic representation with several predefined object models. In the structural approach, the association is made by a characteristic match that calculates a measure of similarity between the unknown input and several prototype models. In syntactic pattern recognition, a parser or error-correcting parser checks an unknown input for its accordance with the rules of a grammar that describes all members of a pattern class (Serratosa et al., 2011). Challenges with Syntactic Pattern Recognition The syntax of the language is not known explicitly, only a sample of patterns is given hence defining such an algorithm is much more difficult. Then again, a lack of a grammatical inference algorithm makes the use of a syntactic pattern recognition model impossible in most of the real- world applications (Jain et al., 2000). 2.7 Empirical Literature on Pattern Recognition in Detecting Financial Crimes This section covers some of the most relevant works related to the application of pattern recognition techniques in the field of detecting crimes. There is limited research in the use of pattern recognition in detecting financial crimes specifically in mobile money transactions. AML/CFT tools developed for financial institutions mostly use data mining techniques for suspicious transaction detection. To the best of the researcher’s knowledge, there are no applications involving real-time detection of financial crimes on mobile money transactions. Nevertheless, there are works that have applied pattern recognition to flag fraud in the financial industry. Unfortunately, these articles do not specify the databases used. 22 A pattern in crime detection is defined as a series of crimes committed by the same offender or group of offenders. To identify true patterns, one would need to consider information beyond simply time and space, but also other features of the crimes.There are few known previous works aimed directly at detecting specific patterns of financial crime in mobile money transactions (Wang & Rudin, 2013). 2.7.1 A Conceptual Framework for Detecting Financial Crime in Mobile Money Transactions Gombiro, Jantjies and Mavetera (2015), in their proposed framework were influenced by the fact that existing methods of financial crime detection did not address the occurrence of false positive rates adequately. They proposed to overcome this limitation using big data analytics, where the method looked at large volume of data and dealt with a variety and removal of noisy data. Based on the millions of transactions generated by M-money transactions, there exists a need to extract value from the data by differentiating legal from illegal transactions on mobile money transactions. 2.7.1.1 Proposed Framework The framework encompassed monitoring activities such as fraud, social network analysis and money laundering. Built on the foundation FATF 2012 recommendations and preliminary observations using M-money platforms and their requirements. 23 The framework applied data cleaning, pre-processing and use of historical databases. Input data was sourced from employee logs, historical offenders’ database, and historical and real time transaction data. The flags and Suspicious Activity Reports (SAR) were then forwarded for analysis to a crime analysis agency for further analysis. Ontology was set to define a set of rules to link customers, customer ranking, threshold values and transaction rules (Gombiro, Jantjies, & Mavetera, 2015). 2.7.1.2. Success and Drawback The framework addressed the problem of identifying anomalies in mobile money transactions by use of various data mining approaches as well as the use of Dempster Shafer theory to identify evidence of financial abuse and assign probabilities based on likelihood of transaction to fall under illegal transaction. However, the researchers acknowledged that they could have selected a different algorithm for faster execution in the identification of suspicious transactions and execution of the tools. Furthermore, there is a need to continuously update the rule base as criminals always come with new techniques in money laundering, cybercrimes, and other financial crimes. 2.7.2 Predicting Fraud in Mobile Money Transfer Adedoyin (2018) in his research, proposed a pattern recognition model to predict fraud in Mobile money transfer transactions using Case-Based Reasoning (CBR).The researcher deduced that most machine learning techniques depend on statistically relevant datasets for prediction. However, in the absence of a significant size of historical data, they would most often not perform well . Hence the application of Case-based reasoning (CBR) , a modern computational method that solves new problems using solutions (specific knowledge) from past and similar problems that were successfully solved . 2.7.2.1 Proposed Framework Figure 2.6 below illustrates the architecture of the proposed framework which the researcher Figure 2.5: Conceptual for detection of M-money financial crime 24 implemented to detect mobile money transfer fraud. The case-based reasoning (CBR) system was proposed as the classifier due to the absence of historical consumption data. The proposed framework consisted of three main components: Input, Process and Output detailed as follows. Input: Under the framework, the simulated MMT data were first pre- processed by running several queries to verify it’s quality .A clustering algorithm was then applied to guide and reduce the search space by collecting the most similar clusters. This enabled cases collected under similar circumstances to be identified and limited the retrieval to these cases. Process: The CBR classifier was used to classify new instances of MMT transactions as either fraud or non-fraud cases. To exploit the flexibility of weighting all the input vectors in the process component, a Genetic Algorithm (GA) was used to calculate their weight to reflect the significance of each vector as determined by the GA. Output: As indicated in Figure 5.1, the output section provided a summary window for the prediction which displayed the ranking of clusters of transaction neighbors. 2.7.2.2 Success and Drawback From the results of the experiments, it was determined that the pattern recognition model could not only identify suspect transactions, as well as provide the ranking of clusters of transaction neighbors for new cases. CBR with clustering approach showed a better time performance but with significantly low accuracy, which was the drawback of the research. Figure 2.6: Fraud Detection Framework 25 2.7.3 Fraud Detection in Mobile Money Transactions Using Machine Transactions Using Machine Learning Kang (2019) in this study explored a data mining system for fraud detection in mobile financial transactions. The researcher compared two supervised machine learning models, random forest and gradient boosting, for their applicability in the detection of fraudulent records. The primary data source was the Paysim Simulator for detecting fraud in mobile money transactions. 2.7.3.1 Proposed Framework The research aimed to build a probing system, by adopting supervised learning, where known normal and fraudulent cases were used to train the models to learn their characteristics. The researcher partitioned the raw data frame into two subsets, training and testing sets. The former trained random forest and gradient boosting with labeled data, making the systems exploit the patterns of legal and illegal transactions.The systems were able to predict which class a new observation belonged to. The models were then applied to the testing set, to verify both methods while evaluating their accuracies. 2.7.3.2 Success and Drawbacks The accuracies of the models were higher than expected, due to the synthetic nature of the dataset. In the real-world environment, the accurately would be lower. The researcher should have tested a sample of real-world transaction to truly verify the accuracy of the output. 2.8 Summary of Empirical Literature on Detecting Pattern Recognition in Detecting Financial Crimes Table 2.2 is a summarization of studies both significant and small that influenced the researcher in developing the pattern recognition tool for detecting financial crimes on mobile money transactions. 26 Table 2.2 Summary of Empirical literature on Detecting Financial Crimes using Pattern Recognition. Study Model or framework Drawbacks A Conceptual Framework for Detecting Financial Crime in Mobile Money Transactions by Gombiro, Jantjies and Mavetera (2015). Big data analytics The framework required an algorithm that executed faster in the identification of suspicious transactions. Furthermore, there is a need to continuously update the rule base as criminals always come with new techniques in financial crimes. A Framework for Predicting Fraud in Mobile Money Transfer by Adedoyin,A (2018). Case-Based Reasoning (CBR) with clustering. CBR with clustering approach showed a better time performance but with significantly low accuracy Fraud Detection in Mobile Money Transactions Using Machine Transactions Using Machine Learning by Kang (2019) two supervised machine learning models, random forest, and gradient boosting Data used was highly imbalanced therefore bringing into question the true accuracy of the model’s ability to detect fraudulent transactions. 27 Autoregressive-based outlier algorithm to detect money laundering activities by Kannan and Somasundram (2017). Autoregressive-based outlier algorithm. The inability to differentiate between normal and suspicious transactions was a limitation. Also, the use of a Linear Regression algorithm resulted in lack of deep analysis of the problem and the time consumption. A Multi-Variant Relational Model for Money Laundering Detection using the Time Series Data Architecture by MCA & Prakaran (2014) Relational mapping by differentiatin multiple accounts and a time series by splitting the data at a particular time frame A criminal can however deposit illegitimate funds into different accounts to legitimize it. 2.9 Gap Analysis Traditional financial crime detection systems and controls are primarily dependent on the use of data mining for focused identification, verification and customer profiling .For Mobile money transactions, this is however not the case as KYC and CDD is only done at customer onboarding at which point an agent cannot really authenticate the customers identity. To gain strategic advantage in this fight against financial crimes, adopting solutions that do not merely respond to past patterns of attack, but in addition are highly anomaly aware,in analyzing and detecting suspicious patterns in real-time. 28 2.10 Conceptual Framework The continuing threat of financial crimes in mobile money transactions reinforces the necessity for deploying pattern detection and an alerting functionality on the actual traffic flowing through. The framework encompasses monitoring activities such as fraud, terrorism financing and money laundering. Figure 2.5: Conceptual Framework The data from the data source underwent pre-processing to remove any noisy transactions while ensuring that only complete transactions were forwarded for monitoring.Feature extraction was subsequently performed from the initial set of measured data and was completed with the necessary features to facilitating the successive learning and generalization steps. Realtime transaction monitoring continuously applied activity monitoring for suspicious transactions. The typical four stages in monitoring were:Suspicious activity identification after which the tool would send alerts to system users upon the detection of a suspicious transaction. Finally, the data would then be stored for future reference and link analysis. 29 Chapter 3: Research Methodology 3.1 Introduction This section described the main research methodology that was adopted in carrying out this research. Structured System Development (SSD) is a formal process of eliciting system requirements, both to reduce the possibility of the requirements being misunderstood and to ensure that all the requirements are known before the system is developed. It also introduces rigorous techniques to the analysis and design process (Wells , 2009). 3.2 Research Design The research design adopted in this study was exploratory-descriptive due the fact that it was important to identify the commonalities in data (explorative) and to categorize the commonalties in a particular manner (descriptive) ( Brink & Marilynn , 1998). The combination of these two elements was used to extract insights out of the data. The analysis of the common factors and their correlation uncovered details in the subject matter that was critical in understanding it. 3.2.3 System Development The system development applied for this research was Agile Methodology. This methodology allows for repeated improvements on the different modules of the system based on the success of the research and the discovery of new technologies to improve the functionality of the anticipated tool. Above all, it enabled the researcher to better define the system requirements as the process was done incrementally (Lu & DeClue, 2011). 30 Figure 3.1: Agile System development The Agile development lifecycle involves the basic steps mentioned below. 3.2.3.1 Requirements This phase involved capturing requirements for the iteration based on thorough document analysis. These requirements were (i) Realtime detection of suspicious transactions (ii) The tool should be able to detect suspicious transactions such as fraud, money laundering and terrorist funding. (iii)Accurate reporting of suspicious transactions 3.2.3.2 Design The design stage involved the use of high-level UML diagrams and wireframes o demonstrate how the tool would function and how it would fit into the already existing system. 31 3.2.3.3 Development/Iteration Once the requirements were defined, developing iterations of the project began, with the goal of having a working product to launch at the end of the sprint. The tool was developed using Python as a programming language due to its vast number of available libraries. Matlab Pattern Recognition Toolbox for representation and generalization SQLlite database was used to store data on suspicious transactions. The product underwent various rounds of revisions; therefore, this first iteration includes only the bare minimum functionality. There is an allowance for future additional sprints to expand upon the overall system. 3.2.3.4 Testing Testing involved validation of the accuracy of the model for the final detection tool using and the second phase of testing was conducted on the tool using test data reserved from the dataset. Confusion matrix was also applied. 3.2.3.5 Deployment This phase involved releasing the live version of the system. The production phase ends when support has ended or when the release is planned for retirement. 3.2.3.6 Review This stage involved reviewing the results of the first round of testing the model and reworking them into the requirements of the next iteration. 3.2.4 System Analysis This phase involved the studying the existing (Transaction monitoring system) and the proposed framework in context of their interrelationship and eliminate redundancies. 32 3.2.5 System Design System design is expresses the architecture, components, modules, interfaces and data for a system to satisfy specified requirements (Waldo, 2006). This research made use of UML diagrams such as context diagram, Data flow diagrams (level 1&2), Data Model, Database schema and finally wireframes (to depict the GUI of the tool). These aids were a suitable representation of the proposed tool regarding SSD Methodology. 3.3 Target population and Sampling Asiamah, Mensah and Oteng-Abayie (2017) defined target population as a group of individuals or participants with specific attributes of interest and relevance to a research study. The target population of this research was financial transactions conducted on mobile money platforms. Due to data privacy laws and the difficulty in obtaining such data, a synthetic dataset, Paysim Mobile money simulator was used. The target population required a data source with both numerical and categorical features like transaction type, amount transferred, account numbers of sender and recipient accounts etc. The Paysim Synthetic dataset for mobile money transactions sourced from the Kaggle website, is the only data source that contained such detailed transactional data. The entire dataset frame consisting of 6,362,620 observations, 11 columns and five transaction types, was sampled during data analysis. 3.4 Data collection The primary source of transactional data of this research was a synthetic mobile money dataset, the Paysim Mobile money simulator. The data set simulates mobile money transactions based on a sample of real transactions extracted from one month of financial logs from a mobile money service implemented in an African country. The original logs were provided by a multinational company, a Mobile Network Operator currently running in more than 14 countries around the world. 33 3.5 Data Pre-processing Data directly mined from the Paysim Mobile money simulator contained some missing and erroneous data, therefore making immediate analysis impossible. Several transactions contained with zero balances in the destination account both before and after a non-zero amounts were transacted. Such data underwent transformations and were then recorded for data analysis 3.6 Data Analysis Exploratory Data Analysis (EDA) was most appropriate in determining how to improve and come up with better threshold to capture the suspicious transactions. The outcome of the data analysis was that the target variable ‘isFraud’, which was the actual fraud status of the transaction while ‘isFlaggedFraud’ was the indicator which the simulation used to flag transaction using some threshold. 3.7 Research Quality This tool was evaluated and validated to ensure that the results are reproducible and stable. 3.7.1 Reliability Application of the Confusion matrix, Classification report and the Area Under Receiver Operating Characteristic (AUROC) indicated that the model applied in the tool was able to detect substantially more true positive fraudulent transactions than false positive. 3.7.2 Validity Validity was concerned with the degree to which the research findings were applied to the real world unbiasedly, beyond the controlled setting of the research. The tool was able to accurately classify fraudulent transactions from a random selection of dummy data. 34 3.7.3 Ethical Considerations This research was based on the original ideas of the researcher and any externally borrowed concept included in the research was fully referenced and cited in-text to acknowledge the source of the data and their contribution to the research. In addition, the data collected was secondary in nature and was sourced from the Paysim Mobile money simulator dataset, which does not avail any unique identifiers that would link an actual individual to a transaction. Any actual personal information had already been redacted from the dataset hence no chance of any data privacy violation. Furthermore, the research was issued an Ethical approval by the Strathmore university Institutional Ethical Review committee, as well as a Research Permit from the National Commission for Science and Technology and Innovation (NACOSTI) after due consideration. 35 Chapter 4: System Analysis and Design 4.1 Introduction This chapter expounds on the analysis and design of the Pattern recognition tool detecting financial crimes on mobile money platforms, by incorporating the various requirements that were identified after successful data collection and analysis. It further defines the different stakeholders of the system, system components, system data models and system process models. This chapter also captures the visual representation of the proposed solution using visual modelling language (UML) to ensure the tool was completely understood before development. 4.2 Data Analysis The goal of this analysis was to better understand the synthetic mobile money transaction dataset, pre-process it and create a model for prediction. The data analysis method applied was exploratory data analysis (EDA) as earlier stated in Chapter 3. The Paysim mobile money Dataset for fraud detection, comprised of 6362620 observations and 11 columns, table 4.1 is a summary of the variables/labels in the dataset. Table 4.1 Summary of Variables (Kang, 2019) Variable Name Format Example Descriptio n 1 step 5 Each step is an hour of time in real world. The largest number for step is 744 (the 30th day) 2 type PAYMENT (Categorical variable) Transaction types (CASH-IN, CASH- OUT, DEBIT, PAYMENT and TRANSFER) 36 3 amount 8424.74 Transaction amount in local currency 4 nameOrig C1000001725 Customer who started the transaction 5 oldbalanceOrig 351422.72 The initial balance of sender before the transaction 6 newbalanceOri g 257557.59 The new balance of sender after the transaction 7 nameDest M1974356374 Customer/Merchant who received the transaction 8 oldbalanceDest 526950.37 The initial balance of receiver before the transaction 9 newbalanceDe st 771436.84 The new balance of receiver after the transaction 10 isFraud 1 (Categorical variable) The status of a transaction (0 as legitimate and 1 as fraudulent) 11 isFlaggedFrau d 0 (Categorical variable) The status that the system identified for a transaction — here an attempt to transfer more than 200,000 (in local currency) in a single transaction will be flagged as an illegal attempt (0 as normal and 1 as illegal attempt) 4.2.1 Transaction Count The Transaction count graph provides a visualisation of the count for each type of transaction as listed below. CASH_OUT -2237500, PAYMENT-2151495, CASH_IN-1399284, TRANSFER-532909, DEBI T -41432 (Name: type, dtype: int64) 37 Figure 4.1: Transaction count per type 4.2.2 Transactions types flagged as suspicious Figure 4.2 below indicates the actual number of each transaction type that were flagged as fraud. The snippet in figure 4.2 displays the transactions flagged as fraudulent. Figure 4.2: Transaction types flagged as suspicious 38 4.2.3 Handling Imbalanced Data Unrelated transaction types were filtered out and only what was relevant was maintained. Fraud only existed in 0.3% of the dataset, indicating that the data was highly imbalanced. To handle this problem, data under-sampling method was used to prevent bias towards the majority class under sample the dataset. Figure 4.3: Handling Imbalanced Data 4.3 Requirements Analysis This research aimed at developing a pattern recognition tool for financial crime detection. Based on this objective, the succeeding sections outline the various requirements for the proposed solution. The requirements were mainly gathered through document analysis by the researcher. 4.3.1 Functional Requirements These are the key system functionalities of the pattern recognition tool that must meet user specifications by identifying the tasks and activities that must be accomplished. They include: (i) There should be an integration between the proposed tool and existing Mobile Money System to pull transactional data real time. (ii) The tool should detect fraudulent transactions based on analysis of a customers of transacting patterns. (iii)The tool should enable update database with flagged transactions for future link analysis. (iv) The tool should be able to send alerts in real time when a transaction is flagged, via email to authorised system users. 39 4.3.2 Non-Functional Requirements These describe the constraints under which the tool must work within, hence the following considerations. (i) Usability The system is intended for use by the internal compliance and audit team of any MNO firm. to improve their financial reporting capability and hence improve regulatory compliance, service delivery and platform integrity. (ii) Data Security The data being processed by the system is confidential and should be treated as such hence the need for user rights and roles on data management to be assigned as per a company’s data policies. (iii)Persistent Storage Configuration to the SQLlite database server was key for the researcher, to ensure uninterrupted connectivity when historical records are being accessed. 4.4 System Process The proposed system process in Figure 4.6 illustrates the general layout of the Pattern recognition tool. The major steps that take place in the system are as follows: 40 Figure 4.4: System Architecture 4.5 Data Flow Diagrams DFDs represent the flow of data of the proposed tools process and provide information about the outputs and inputs of each entity and the process itself. 4.5.1 Context Diagram The context diagram in figure 4.7 depicted the boundary of the tool, its environment and the entities that it interacted with i.e. Mobile Money system and system users. Additionally, it showed the inputs (Transaction data source) and outputs (analysed results) from the various entities. 41 Figure 4.5: Context Diagram 4.5.2 Data Flow Diagram Level 1 The level 1 DFD notated each of the main sub-processes that together form the complete system. An authorized system user upon login would be able to query the system for transactions that were flagged as fraudulent within a given date range. 42 Figure 4.6: Data Flow Diagram Level 1 4.5.3 Data Flow Diagram Level 2 The level 2 data flow diagram (DFD) offered a more detailed look at the processes that made up the system in comparison to level 1 DFD does. Once a transaction is flagged as fraudulent, a system user can carry out an analysis of the customer’s transactional history and update their risk rating (based on the various sanctions lists) as part of the customer due diligence process. Figure 4.7: Data Flow Diagram Level 2 43 4.6 Data Model The data model was an abstract model that organized the elements of data exactly how they related to one another and to the properties of other real-world entities. The database was made up of the customer, transaction, transaction type and system user tables, each with its induvial attributes and how they related to each other as in figure 4.8. Figure 4.8: Data Model 4.7 Database Schema The database schema defined how the data was organized and how the relations among the tables were associated. The data was organized into four entities, customer, transaction, transaction type and system user as well as how each entity associated with the other captured in figure 4.9. 44 Figure 4.9: Database Schema 45 Chapter 5: System Development and Testing 5.1 Introduction This research aimed to develop a tool that would use classification as a pattern recognition technique to actively detect suspicious mobile money transactions. This chapter therefore discusses in detail the process of development and testing of the tool based on functional and non- functional requirements captured in the preceding chapter. 5.2 Detection Model Structure The proposed Financial crime detection tool applied a classification model to accurately identify suspicious transactions based on unique and differentiating traits. Figure 5.1 describes how the model analyses a transaction up to the point it is classified as suspicious or non-suspicious after which an alert is generated and sent to an authorised user. Figure 5.1:Financial Crime Detection Model 5.2.1 Importing Transactional Data Source The model used data from the Paysim Mobile Money Dataset for fraud detection sampled in Appendix 1. The code snippet in figure 5.2 visualizes the dataset and some of its labels which were key in categorizing fraudulent from genuine transactions. 46 Figure 5.2: Importing Data 5.2.2 Data Processing The data processing stage involved compressing the data to capture only what was relevant as for the feature extraction phase. In figure 5.3 the researcher established that the column labels step, type, amount, oldbalanceOrig, newbalanceOrig, oldbalanceDest and newbalanceDest in the dataset were most critical in differentiating fraudulent from genuine transactions. Figure 5.3: Data Compressing 47 5.2.3 Feature Extraction The feature extraction process involved categorizing transactions into two, ‘isFraud’ (suspicious) and ‘nonfra