 |
Research
of Classical and Intelligent
Information System Solutions for
Criminal Intelligence Analysis
Vladimir
Šimović
ABSTRACT
The objective of this
study is to present research on classical and intelligent
information system solutions used in criminal intelligence
analysis in Croatian security system theory. The study
analyses objective and classical methods of information
science, including artificial intelligence and other scientific
methods. The intelligence and classical software solutions
researched, proposed, and presented in this study were
used in developing the integrated information system for
the Croatian Anti-money-laundering Department and the
Croatian Criminal police. This software conforms to trends
of operational research in criminal intelligence analysis,
and is used in similar security information systems as
well. The development and implementation of classical
and intelligent software applications (and tools) was
necessary to deal with criminals, their crimes, and the
methods employed to engage in money-laundering. The goal
of the research is to address a full range of problem
areas and illustrate the potential and benefit of integrating
classical and intelligent applications in the selected
problem area. The obtained results will be used in further
development of intelligent/information system solutions
for the process of criminal intelligence analysis.
Keywords
information
and intelligent systems, criminal and anti-money-laundering
intelligence analysis, integration of artificial intelligence,
and other software solutions
1.
Main aspects of criminal and anti- money-laundering intelligence
analysis
New
aspects of Croatian law in criminal and financial police
practices rely on the relatively new concept of corporate
criminal intelligence analysis (as is the case in other
leading countries). Knowledge about the relatively new
concept of criminal, anti- money-laundering (in short:
AML) theory and practice is important; thus there is a
need for new tactical and strategic criminal and AML analysis.
Modern criminal and AML activities are basically done
with analysts and scientific units whose task is to combat
organised, economic, and AML crime. This approach (informational,
criminological, and forensic) rarely makes use of modern
software applications, products, and scientific-based
organisation in practice and theory (Fig. 1).
Fig.
1: Three different level of advising in investigations
- Forensic
investigation and intelligence analysis is the most serious
and difficult area, so precise and detailed advising levels
are necessary for the expert system used. The function
can be explained in one sentence: "in the process
of examining evidence, the expert system must serve in
an advisory role for investigators, analysts, lawyers,
judges, information technicians, and others involved in
any type of investigation and intelligence analysis".
This is also a relatively new conceptual system for combating
organised, economic, computer-related, and other kinds
of crime. Analysis is the process of integration and interpretation
of information leading to conclusions,hypotheses, or inferences.
After this process is completed, the information is manageable
and its quality enhanced. Information is collected, evaluated,
organised, and stored (collated) before criminal and AML
intelligence analysis and action (or new cycle of collection,
evaluation, and collation) can take place. These steps
are also basic components of the overall criminal intelligence
process. (Fig. 2).
Effective evaluation requires source reliability and information
validity. Source reliability is determined by source characteristics,
and information validity by the relationship of source
to information. Also, a standardised system must be used
in investigating criminal and AML practices so that conflicting
pieces of information can be evaluated. A standardised
system ensures that everyone recognizes the evaluation
standards. This system is known as the "4 x 4 system".
It is important to prepare well the organisational aspect
of criminal intelligence analysis practice, and especially
the informational input. Sources of information are numerous:
banks, police, tax offices, and so on. This part of of
the researching focuses on the criminal incident, the
criminal, or the methods employed to control various AML
crimes and markets.
Appropriate information software applications and analysis
tools should be used for this; for example, the AML criminal
incident (AML Crime Pattern Analysis, AML Case Analysis,
and AML Comparative Case Analysis). The same applies to
analysing the various AML criminal (AML General Profile
Analysis, AML Offender Group Analysis, and AML Specific
Profile Analysis), and the methods employed to control
AML crime (AML Crime Control Methods, AML Investigations
Analysis). Information software applications and tools
are divided into two major categories:
.
solutions based on classical software tools (classical
and various analytical software) and
. solutions involving intelligent systems and artificial
intelligence tools.
2.
Classical or intelligent systems software- based solutions
for criminal and AML intelligence analysis
A
prime example of classical or intelligent systems software-based
solutions for criminal intelligence analysis is the integrated
information system for the AML Department. Since the Croatian
AML Department has only been in official existence since
November 1st, 1997, the integrated information system
is still in its initial stages.
The Croatian AML Department now has access to data through
specially-prepared reports of financial and other institutions
in regard to potentially suspicious financial transactions
(money, jewellery, etc.). In its development of the system,
the Croatian AML Department used past experience and knowledge
(from related literature and financial experts from Croatia
and other countries), as well as present-day developments
applicable to the Croatian situation. Financial and other
institutions currently send data to the AML Department
by mail or fax on specific, prepared forms (Fig. 3). In
the near future they will deliver data through diskettes,
various electronic nets, or a special section of the Internet
(i.e., The Egmont Group Secure Web System). The AML Department
has electronic and other types of access to information
and data from financial and other institutions, the Police,
and public institutions having a connection with money-laundering
activities. Data are collected from various sources: confidential
informants, information storage and retrieval systems,
surveillance systems, open sources, and interrogation
and intelligence sources. After data collection information
is registered and evaluated.
Fig.
3: Some of the specific forms for reporting financial transactions
The
"4 x 4 system" is very important and it is used
extensively due to its validity and reliability. All information
and important data must be marked in two ways, the first
being:
(A) when there is no doubt as to the authenticity and
competency of source reliability;
(B) when there is a history of reliable information;
(C) when there is history of unreliable information most;
(X) when there is a previously untested source and when
data cannot be evaluated.
The second mark consists of (from the information validity
scale):
(1) when information is judged to be accurate without
reservation;
(2) when information is known by the source but not to
reporting staff as accurate;
(3) when information not known personally by the source
but is corroborated by other information already recorded;
(4) when there is information not known personally to
the source and is not corroborated by other information,
and when information cannot be evaluated.
After
data collection, registration, and evaluation information
is collated (stored, cross-referencing indexed for analysis)
in classical storage systems (Fig. 4).
Fig.
4: Example with icon and one interface of classical storage
system for data collation
After
data collection, registration and collation information
and data are integrated through electronically prepared
forms (with data, attributes, and values, from Fig. 3)
and other sources (Fig. 5).
Department
is now using methods, techniques, and models of information
science related to AML criminal intelligence analysis,
statistical methods, methods of operational research,
etc.
In practice, there are specially developed methods and
techniques based on various models of operational analysis,
some of which involve "frequency counts", "variance
analysis," and "principal component analysis".
After the use of developed methods and techniques, analysis
and presentation of relevant data and important information
are prepared with "i2" Ltd. analytical software,
etc. (Fig. 6).
Fig.
6: "i'2" Ltd. based software tools and applications,
Case Notebook, and Link Notebook
Physical
evidence at a crime scene may be found in the following
four forms:
. transient,
. pattern,
. conditional, and
. transfer.
All relevant physical evidence for AML crime is recorded
and archived in original and electronic format. The AML
department has its own Document Imaging based system so
the large volume of information does not present a problem.
Basic document image processing refers to the capture,
storage, and retrieval of information in the form of electronic
images. The basic imaging process is illustrated (Fig.
7).
Fig.
7: The basic process of document image processing
The
document image processing begins with document preparation
and scanning, which converts the hard copy image into
an electronic image file. Specialised image processing
hardware or software then compresses the image file. Image
compression reduces the size of an image file by eliminating
unnecessary or redundant data. The image file is then
indexed, either manually or using optical character recognition
(OCR). OCR is a technology (involving artificial intelligence
tools) that translates printed characters into machine-readable
text. The index is stored in a database and is used to
retrieve the image for later viewing. A quality control
check is performed by an operator and ensures that the
image has been properly scanned and indexed.
Document capture consists of the conversion of documents
to enable their use in electronic document management
systems. Subtasks include document preparation, scanning,
and indexing. A workflow chart for document capture in
conceptual model used in the AML department is illustrated
(Fig 8).
Fig
8: Workflow chart for document capture in conceptual model
The images are usually stored
on optical disks. Optical disks are high-density storage
devices that are written to and read by laser light. Images
are retrieved using the index database and can be viewed
on monitors or printed. Also, the image file is different
from a standard text file, because it stores information
in the form of raster images rather than ASCII data.
Fig. 9 illustrates ASCII text vs. imaging, using optical
character recognition (OCR) process.
Fig.
9: ASCII text vs. imaging ("pattern recognition")
The
ramifications of images versus data processing are that
image files capture pictorial as well as textual data.
This enables them to store signatures as well as graphics,
photographs, and drawings. Although the distinction between
ASCII text and image files may seem purely technical,
it has a profound impact on information accessibility,
manipulation, and security. The translation of image representations
into useful information is performed in the mind of the
user, because pixel elements have no intrinsic information
value and cannot be interpreted directly by a computer.
Image files can be viewed as another type of data. The
large sizes of image files create new processing challenges.
The use of WORM (Write Once Read Many) technology in electronic
document management provides a new dimension of information
security (Fig. 10). The chief means of input to electronic
document management systems is scanning or electronic
data exchange, as opposed to data entry. This provides
unique challenges as well as opportunities.
Fig.
10: WORM technology in electronic document management
Vector
image files, image quality, and storage devices are also
basic concepts (with raster image files) which must obey
special requirements during document imaging process and
management. Document storage process includes the compression
of image files, the writing of the files to optical storage,
and the updating of the index database. A Fig. 11 illustrates
the workflow of the storage process.
Fig
11: Workflow chart for document storage in used conceptual
model
Models,
methods and techniques of Artificial Intelligence, especially
developed with Gold Hill Products 32-bit version software
(Expert System and Developer Tools) and Neuro Shell are
used to deal with prepared knowledge about AML intelligence
analysis,
. for developed indicators on money-laundering,
. for detecting AML crime ("pattern") and
. such as advising system for dealing with AML crime,
etc.
"Croatian
Detecting System for Suspicious Finances" is the
popular name for the expert system model, with the acronym:
"CroSsFinDS" (from: "Croatian Suspicious
Finances Detecting System"). The AML department is
in the process of integrating the expert system with new
models, methods, and techniques of classical, analytical
and statistical software, such as models, methods and
techniques especially developed with some of the best
"i2" Ltd. analytical software (Fig. 12).
Fig
12: Workflow chart for suspicious financial transactions
Models,
methods, and techniques now developed mainly with SPSS
for Windows and, in the future, with other statistical
software tools (like: Statistica, SAS, Statgraph etc.)
will be integrated with models, methods and techniques
developed with Microsoft Visual C++ 5.0, Oracle Developer,
Magic, etc.
Software products usually used to retrieve statistics
in the process of criminal intelligence analysis are Statistica,
SPSS for Windows, and SAS. These products are comprehensive,
user-friendly, and powerful enough for strategically and
sometimes operational (tactically) AML crime analysis.
Not all the above-mentioned statistical software (Statistica,
SPSS, Statgraph, SAS, etc.) is necessary for statistical
analysis. Only certain types of analysis can be conducted
without specific statistical software, such as AML crime
pattern analysis and AML combined analysis.
A small number of AML employees are responsible for statistics
in the Croatian Financial Intelligence Unit (in short:
FIU). Their specific duties involve statistical software
products, various statistical reporting, and strategic
analysis, especially those connected with specific AML
tactical analysis (in AML cases). Statistical analysis
is meaningful regardless of the number of suspicious transactions
reported. For some suspicious transactions, classical
statistical correlation tests and various type of statistical
testing methods, such as the Pearson test, X2 test (Chi
square), are recommended. For most others, all applicable
statistical methods (especially those offered in international
courses for strategic analysis) are used.
In the Croatian case, use of parts of "i2" Ltd.
analytical software is conducted. That includes "i2"
Ltd. analytical software products (tools) such as the
Analyst's Notebook, iBase Designer, iGlass, iConnect,
and iTel (Fig. 13).
Fig.
13: "i'2" Ltd. based software tool and applications
for suspicious telephone or modem calls, Link Notebook with
iTel
For
example, iBase Designer software allows for a powerful,
simple, and flexible database application. Information
from possible sources can be entered into the iBase database
in a consistent format, with a minimum of effort, and
without duplication. This iBase software links directly
to the Analyst's Notebook so that Link and Note charts
can be easily generated automatically for the AML analyst's
use.
iBase also includes a powerful query builder based on
combinations of criteria for retrieving AML data, and
a complete report generator. It is available for AML usage
in two basic forms, i.e., iBase Designer and iBase User
software. First, iBase Designer, allows analysts to set
up and maintain AML databases. It gives them the freedom
to create and design new databases and modify existing
ones to ensure that they continue to satisfy the requirements
of the AML tactical investigations. This software also
has the iBase User functionality. Second, iBase User software
provides effective database solutions for all the members
of an AML investigative team involved in one particular
AML case. It allows each user to enter, research, modify,
and analyse the AML data and so to chart it using the
Analyst's Notebook.
The Analyst's Notebook software contains the following:
Link Notebook, Link Analyser, Case Notebook, and Case
Analyser. Analyst's Notebook is a professional visualisation
and analysis tool for AML information analysts. As such,
it is offers a solution for researching, interpreting,
and displaying complex information (Fig. 14).
A software package such as iGlass is used for AML data
visualisation, AML crime pattern analysis, and AML research.
This software provides a powerful AML analysis package
in which the AML tactical analyst researches AML data
by using a combination of queries, AML graphs, and AML
charts. This version can also be used on its own. The
software is also used with Analyst's Notebook and AML
Graphical Information System (GIS).
The software iConnect enables the so-called "live"
connection between the existing AML database and the Analyst's
Notebook, so that AML Link and AML Note charts can be
easily generated automatically. A connection to the actual
AML databases and other interesting databases can also
be built (Fig. 15).
Fig.
15: Example of AML Note and Link charts for interpreting
suspicious financial transactions
The
software package iTel is the database system for telephone
and similar data analysis. This software package links
directly with Analyst's Notebook to provide sophisticated
AML analytical capabilities for important telephone and
similar kinds of information (Fig. 16).
Fig.
16: Example iTel charts for data analysis and presentation
AML
Department Development is also preparing various profiles
of money-laundering, fraud transactions, and a clear set
of indicators for money-laundering activities. This is
done with translated and recorded topology (for example,
a profile of a money-laundering transaction) into an analytical
technique, which will be used to select new transactions
falling within the recorded topology. In this process,
the team uses experience based on practical cases and
knowledge from abroad, especially from Slovenia, Belgium,
Italy, etc. The development team plan is to use new statistical
and other analytical techniques to develop an AML pattern
recognition technique (specific AML profiles), monitor
the various transmitters of information, and control all
AML processes. The AML Department and FIU receives statistical,
analytical, and operative reports and, if requested, other
forms of management information. This is an important
part of its international activities (cooperation in Egmont
Group and other countries on particular tactical AML cases
and various international virtual strategic AML workshops
and strategic AML analysis). It is also important to exploit
special and classical Internet software solutions.
In conducting AML analysis, Croatian FIU has access to
data/databases maintained by other intelligence units
in our country. Data/databases are located in: Police,
Customs Tax Office, Agency for Financial Transactions,
Social Security, Zagreb (Croatian) Department of Interpol,
Croatian National Bank, Ministry of Finance, Judicial
and Law Enforcement Agencies, databases on Internet, etc.
Other statistics to which the Croatian FIU has access
are located in: Statistical Department of the Republic
of Croatia, Financial Police, and others. These other
statistics are used in preparing analysis of new information,
and corrective and comparative study/analysis for legal
and other financial transactions. If the reported transactions
are a proportional representation of all the transactions
being processed by financial institutions, the AML Department
can approximate, using descriptive statistical measures
(geometry, average rate in stable situations, and so on),
the number of reports to expect from financial institutions.
The AML Department uses strategic analysis to compile
guidelines that describe what banks and other financial
institutions should report. It also uses strategic analysis
reports for co-operation with banks and financial industry
representatives in an effort to strengthen co-operation
and develop policies or programs (Fig. 17).
Many of the indicators for money-laundering activities
have been developed in the AML Department to identify
money-laundering operations among the many suspicious
transactions reported to the FIU. All of these indicators,
some from abroad, are integrated into an expert system,
but some of them have not been evaluted since the Croatian
FIU only become operational on December 4th, 1997. The
AML Department is currently developing new rules for money-laundering
profiles, as seen in cash transactions, wire transfers,
bank to bank transactions, and so on. The AML Department
observe the criteria and methods conducted in strategic
analyst courses from Netherlands NCIS and methods from
related American and European literature (crime pattern
analysis, etc.). These criteria and methods are in the
process of being evaluted in Croatian AML practice and
Unit development. In particular AML cases, police investigators
use AML strategic analysis only to prepare future actions.
In some complex tactical situations the investigators
use strategic analysis to identify and develop new, investigative
AML profiles. It is also possible to make a AML profile
based on tactical (operational) investigations, but only
in combination with a global AML strategic investigation.
The use of AML profiles can benefit a tactical (operational)
investigation when one tactical (operational) investigation
has not succeeded. Also, some statistical methods of descriptive
and inherent statistics (such as trends, rates, averages/means,
inherent (regression analysis) and various correlation
statistical tests) can be used to compare information
from different sources on an aggregated level of AML strategic
analysis. Which type of regression analysis (linear, polynoom,
based on averages, etc.) should be used is determined
by the analyst by experience and type of analysis. But
in the process of analysis, the AML analyst must use knowledge
obtained from strategic analytical courses. The AML analyst
can combine both types of information (transaction and
person) using one statistical technique using various
relative entities and relative numbers.
The parameters used to identify the transaction as money-laundering
are related to the profile of financial transactions and
type of business. If objective criteria do exist, they
should be defined with the assistance of the FIU in order
to obtain a standardised form of disclosure. The AML Department
does not deal with tax evasion or other criminal activity
such as fraud, etc. The Croatian FIU deals only with money-laundering
activities. The AML Department uses various monitoring
tools and target identification methodologies to detect
money-laundering, such as: report forms for suspicious
financial transactions, and programming tools for analysis
(software products and applications) which deal mainly
with tactical analysis or statistics. The AML Department's
Development team is now using knowledge from an expert
system based on artificial intelligence (CroSSFinDS).
Target identification methodologies are also a part of
tactical and strategic analysis. The team uses document
imaging and artificial intelligence based software-applications
and tools which are considered valuable for linking textual
information in cases where no relational data links exist.
It is also developing various AML pattern forms of anomalous
behaviour of Croatian institutions, the goal being to
identify financial institutions showing anomalous behaviour
in their disclosure patterns. Connected to this task are:
identifying high-risk geographical areas, economical sectors,
and high-risk typologies of financial institutions. The
team is preparing analytical and statistic-related software
applications and rules for CroSSFinDS (Fig 18).
Fig.
18: A typical concept of expert system structure used in
CroSSFinDS
If
financial analysts perform a review of an AML disclosure,
the difference between the role of financial and investigative
AML analysts depends on the type of prepared analysis.
The financial analysts can reconstruct the money path
only in co-operation with investigative (tactical) AML
analysts, and can ask for documents supporting their analysis
from inherence and recommendations of investigative (tactical)
analysts. The results of their work are put into quantitative
data. (Fig. 12, 13, 14 and 15). Only specific financial
of strategic and statistical analysis is applied to this
data (financial pattern analysis, etc.). The AML Department
uses predominantly standard (and only in specific situation
customised) formats as feedback concerning money-laundering
reports. The AML Department has a standard format and
is currently developing customised feedback reports created
electronically for each financial institution to deal
with unusual situations. The AML Department's FIU evaluates
their methods in identifying emerging money-laundering
criminal activity (but no others) by measuring practical
results. This system is based on strategy/cost/benefit
study principles, the need to do things "in real
time". The FIU collects and records information based
on statutory obligation and reports prepared with additional
information collected . The AML analysis is conducted
using all information collected, but only information
provided in the original reports is used in AML analyst-organised
elicitation and briefings. Summary of AML analysis is
made from any additional information collected, but in
some situations there will be extrapolation with statistics
of AML analysis.
3.
Conclusion
Described
software applications solutions for classical and intelligent
systems, with Croatian Suspicious Financial Transactions
Detecting (Expert) System (acronym: CROSSFINDS), were
used to illustrate the informational support available
to Croatian criminal intelligence analysis and AML Department
activities relating to criminal intelligence analysis.
These activities provide an overview of Croatian AML Department
criminal intelligence analysis practice, the chronology
of which is: All suspicious transaction reports received
by the FIU are analysed; analysis is done systematically,
and only in specific cases is AML analysis done ad hoc
basis on specific subjects, institutions, or geographic
locations singled out by other sources of information.
The results of the early phase of development of the integrated
information system for the Croatian AML Department will
be used in further development of a complete and integrated
application. This will also serve as an example for development
of other intelligent/information systems for criminal
intelligence analysis.
References
1.
Analyst's Notebook - i2, (1998) Manual, i2 Ltd., Cambridge
2. Andrews, P., P., JR., Peterson, M., B., (1990), Criminal
Intelligence Analysis, Palmer Enterprises, Loomis, California
3. Ciampicali, P., (1996). Egmont Group: Proceedings of
Egmont Group. Rome: Ufficio Italiano Dei Cambi.
4. Koppe, H. (1996). Cooperation. Office for the Disclosure
of unusual transactions - newsletter, KL Zoetermeer, Netherlands,
No. 1, pp. 1-4.
5. Koppe, H., Broekarts, I. (1998). Virtual strategic
workshop. Materials from international Internet workshop
- from e-mail addresses: mot@euronet.nl and crossfinds@crofin.tel.hr,
Ministry of Justice Office for the Disclosure of Unusual
Transactions, KL Zoetermeer, Netherlands
6. Prevention of money-laundering act, (1997). House of
representatives - Parliament of the Republic of Croatia,
Ministry of Finance, Zagreb.
|
|
 |
|
|
New York,
September 11, 2001.
|
|