Research of Classical and Intelligent Information System Solutions for Criminal Intelligence Analysis
(Volume 2, Number 3-4, Autumn-Winter 2001.)
The objective of this study is to present research on classical and intelligent information system solutions used in criminal intelligence analysis in Croatian security system theory. The study analyses objective and classical methods of information science, including artificial intelligence and other scientific methods. The intelligence and classical software solutions researched, proposed, and presented in this study were used in developing the integrated information system for the Croatian Anti-money-laundering Department and the Croatian Criminal police. This software conforms to trends of operational research in criminal intelligence analysis, and is used in similar security information systems as well. The development and implementation of classical and intelligent software applications (and tools) was necessary to deal with criminals, their crimes, and the methods employed to engage in money-laundering.
The goal of the research is to address a full range of problem areas and illustrate the potential and benefit of integrating classical and intelligent applications in the selected problem area. The obtained results will be used in further development of intelligent/information system solutions for the process of criminal intelligence analysis.
information and intelligent systems, criminal and anti-money-laundering intelligence analysis, integration of artificial intelligence, and other software solutions
1. Main aspects of criminal and anti- money-laundering intelligence analysis
New aspects of Croatian law in criminal and financial police practices rely on the relatively new concept of corporate criminal intelligence analysis (as is the case in other leading countries). Knowledge about the relatively new concept of criminal, anti- money-laundering (in short: AML) theory and practice is important; thus there is a need for new tactical and strategic criminal and AML analysis. Modern criminal and AML activities are basically done with analysts and scientific units whose task is to combat organised, economic, and AML crime. This approach (informational, criminological, and forensic) rarely makes use of modern software applications, products, and scientific-based organisation in practice and theory (Fig. 1).
Fig. 1: Three different level of advising in investigations
- Forensic investigation and intelligence analysis is the most serious and difficult area, so precise and detailed advising levels are necessary for the expert system used. The function can be explained in one sentence: "in the process of examining evidence, the expert system must serve in an advisory role for investigators, analysts, lawyers, judges, information technicians, and others involved in any type of investigation and intelligence analysis".
This is also a relatively new conceptual system for combating organised, economic, computer-related, and other kinds of crime. Analysis is the process of integration and interpretation of information leading to conclusions,hypotheses, or inferences. After this process is completed, the information is manageable and its quality enhanced. Information is collected, evaluated, organised, and stored (collated) before criminal and AML intelligence analysis and action (or new cycle of collection, evaluation, and collation) can take place. These steps are also basic components of the overall criminal intelligence process. (Fig. 2).
Effective evaluation requires source reliability and information validity. Source reliability is determined by source characteristics, and information validity by the relationship of source to information. Also, a standardised system must be used in investigating criminal and AML practices so that conflicting pieces of information can be evaluated. A standardised system ensures that everyone recognizes the evaluation standards. This system is known as the "4 x 4 system". It is important to prepare well the organisational aspect of criminal intelligence analysis practice, and especially the informational input. Sources of information are numerous: banks, police, tax offices, and so on. This part of of the researching focuses on the criminal incident, the criminal, or the methods employed to control various AML crimes and markets.
Appropriate information software applications and analysis tools should be used for this; for example, the AML criminal incident (AML Crime Pattern Analysis, AML Case Analysis, and AML Comparative Case Analysis). The same applies to analysing the various AML criminal (AML General Profile Analysis, AML Offender Group Analysis, and AML Specific Profile Analysis), and the methods employed to control AML crime (AML Crime Control Methods, AML Investigations Analysis). Information software applications and tools are divided into two major categories:
. solutions based on classical software tools (classical and various analytical software) and
. solutions involving intelligent systems and artificial intelligence tools.
2. Classical or intelligent systems software- based solutions for criminal and AML intelligence analysis
A prime example of classical or intelligent systems software-based solutions for criminal intelligence analysis is the integrated information system for the AML Department. Since the Croatian AML Department has only been in official existence since November 1st, 1997, the integrated information system is still in its initial stages.
The Croatian AML Department now has access to data through specially-prepared reports of financial and other institutions in regard to potentially suspicious financial transactions (money, jewellery, etc.). In its development of the system, the Croatian AML Department used past experience and knowledge (from related literature and financial experts from Croatia and other countries), as well as present-day developments applicable to the Croatian situation. Financial and other institutions currently send data to the AML Department by mail or fax on specific, prepared forms (Fig. 3). In the near future they will deliver data through diskettes, various electronic nets, or a special section of the Internet (i.e., The Egmont Group Secure Web System). The AML Department has electronic and other types of access to information and data from financial and other institutions, the Police, and public institutions having a connection with money-laundering activities. Data are collected from various sources: confidential informants, information storage and retrieval systems, surveillance systems, open sources, and interrogation and intelligence sources. After data collection information is registered and evaluated.
Fig. 3: Some of the specific forms for reporting financial transactions
The "4 x 4 system" is very important and it is used extensively due to its validity and reliability. All information and important data must be marked in two ways, the first being:
(A) when there is no doubt as to the authenticity and competency of source reliability;
(B) when there is a history of reliable information;
(C) when there is history of unreliable information most;
(X) when there is a previously untested source and when data cannot be evaluated.
The second mark consists of (from the information validity scale):
(1) when information is judged to be accurate without reservation;
(2) when information is known by the source but not to reporting staff as accurate;
(3) when information not known personally by the source but is corroborated by other information already recorded;
(4) when there is information not known personally to the source and is not corroborated by other information, and when information cannot be evaluated.
After data collection, registration, and evaluation information is collated (stored, cross-referencing indexed for analysis) in classical storage systems (Fig. 4).
Fig. 4: Example with icon and one interface of classical storage system for data collation
After data collection, registration and collation information and data are integrated through electronically prepared forms (with data, attributes, and values, from Fig. 3) and other sources (Fig. 5).
Department is now using methods, techniques, and models of information science related to AML criminal intelligence analysis, statistical methods, methods of operational research, etc.
In practice, there are specially developed methods and techniques based on various models of operational analysis, some of which involve "frequency counts", "variance analysis," and "principal component analysis". After the use of developed methods and techniques, analysis and presentation of relevant data and important information are prepared with "i2" Ltd. analytical software, etc. (Fig. 6).
Fig. 6: "i'2" Ltd. based software tools and applications, Case Notebook, and Link Notebook
Physical evidence at a crime scene may be found in the following four forms:
. conditional, and
All relevant physical evidence for AML crime is recorded and archived in original and electronic format. The AML department has its own Document Imaging based system so the large volume of information does not present a problem. Basic document image processing refers to the capture, storage, and retrieval of information in the form of electronic images. The basic imaging process is illustrated (Fig. 7).
Fig. 7: The basic process of document image processing
The document image processing begins with document preparation and scanning, which converts the hard copy image into an electronic image file. Specialised image processing hardware or software then compresses the image file. Image compression reduces the size of an image file by eliminating unnecessary or redundant data. The image file is then indexed, either manually or using optical character recognition (OCR). OCR is a technology (involving artificial intelligence tools) that translates printed characters into machine-readable text. The index is stored in a database and is used to retrieve the image for later viewing. A quality control check is performed by an operator and ensures that the image has been properly scanned and indexed.
Document capture consists of the conversion of documents to enable their use in electronic document management systems. Subtasks include document preparation, scanning, and indexing. A workflow chart for document capture in conceptual model used in the AML department is illustrated (Fig 8).
Fig 8: Workflow chart for document capture in conceptual model
The images are usually stored on optical disks. Optical disks are high-density storage devices that are written to and read by laser light. Images are retrieved using the index database and can be viewed on monitors or printed. Also, the image file is different from a standard text file, because it stores information in the form of raster images rather than ASCII data.
Fig. 9 illustrates ASCII text vs. imaging, using optical character recognition (OCR) process.
Fig. 9: ASCII text vs. imaging ("pattern recognition")
The ramifications of images versus data processing are that image files capture pictorial as well as textual data. This enables them to store signatures as well as graphics, photographs, and drawings. Although the distinction between ASCII text and image files may seem purely technical, it has a profound impact on information accessibility, manipulation, and security. The translation of image representations into useful information is performed in the mind of the user, because pixel elements have no intrinsic information value and cannot be interpreted directly by a computer.
Image files can be viewed as another type of data. The large sizes of image files create new processing challenges. The use of WORM (Write Once Read Many) technology in electronic document management provides a new dimension of information security (Fig. 10). The chief means of input to electronic document management systems is scanning or electronic data exchange, as opposed to data entry. This provides unique challenges as well as opportunities.
Fig. 10: WORM technology in electronic document management
Vector image files, image quality, and storage devices are also basic concepts (with raster image files) which must obey special requirements during document imaging process and management. Document storage process includes the compression of image files, the writing of the files to optical storage, and the updating of the index database. A Fig. 11 illustrates the workflow of the storage process.
Fig 11: Workflow chart for document storage in used conceptual model
Models, methods and techniques of Artificial Intelligence, especially developed with Gold Hill Products 32-bit version software (Expert System and Developer Tools) and Neuro Shell are used to deal with prepared knowledge about AML intelligence analysis,
. for developed indicators on money-laundering,
. for detecting AML crime ("pattern") and
. such as advising system for dealing with AML crime, etc.
"Croatian Detecting System for Suspicious Finances" is the popular name for the expert system model, with the acronym: "CroSsFinDS" (from: "Croatian Suspicious Finances Detecting System"). The AML department is in the process of integrating the expert system with new models, methods, and techniques of classical, analytical and statistical software, such as models, methods and techniques especially developed with some of the best "i2" Ltd. analytical software (Fig. 12).
Fig 12: Workflow chart for suspicious financial transactions
Models, methods, and techniques now developed mainly with SPSS for Windows and, in the future, with other statistical software tools (like: Statistica, SAS, Statgraph etc.) will be integrated with models, methods and techniques developed with Microsoft Visual C++ 5.0, Oracle Developer, Magic, etc.
Software products usually used to retrieve statistics in the process of criminal intelligence analysis are Statistica, SPSS for Windows, and SAS. These products are comprehensive, user-friendly, and powerful enough for strategically and sometimes operational (tactically) AML crime analysis. Not all the above-mentioned statistical software (Statistica, SPSS, Statgraph, SAS, etc.) is necessary for statistical analysis. Only certain types of analysis can be conducted without specific statistical software, such as AML crime pattern analysis and AML combined analysis.
A small number of AML employees are responsible for statistics in the Croatian Financial Intelligence Unit (in short: FIU). Their specific duties involve statistical software products, various statistical reporting, and strategic analysis, especially those connected with specific AML tactical analysis (in AML cases). Statistical analysis is meaningful regardless of the number of suspicious transactions reported. For some suspicious transactions, classical statistical correlation tests and various type of statistical testing methods, such as the Pearson test, X2 test (Chi square), are recommended. For most others, all applicable statistical methods (especially those offered in international courses for strategic analysis) are used.
In the Croatian case, use of parts of "i2" Ltd. analytical software is conducted. That includes "i2" Ltd. analytical software products (tools) such as the Analyst's Notebook, iBase Designer, iGlass, iConnect, and iTel (Fig. 13).
Fig. 13: "i'2" Ltd. based software tool and applications for suspicious telephone or modem calls, Link Notebook with iTel
For example, iBase Designer software allows for a powerful, simple, and flexible database application. Information from possible sources can be entered into the iBase database in a consistent format, with a minimum of effort, and without duplication. This iBase software links directly to the Analyst's Notebook so that Link and Note charts can be easily generated automatically for the AML analyst's use.
iBase also includes a powerful query builder based on combinations of criteria for retrieving AML data, and a complete report generator. It is available for AML usage in two basic forms, i.e., iBase Designer and iBase User software. First, iBase Designer, allows analysts to set up and maintain AML databases. It gives them the freedom to create and design new databases and modify existing ones to ensure that they continue to satisfy the requirements of the AML tactical investigations. This software also has the iBase User functionality. Second, iBase User software provides effective database solutions for all the members of an AML investigative team involved in one particular AML case. It allows each user to enter, research, modify, and analyse the AML data and so to chart it using the Analyst's Notebook.
The Analyst's Notebook software contains the following: Link Notebook, Link Analyser, Case Notebook, and Case Analyser. Analyst's Notebook is a professional visualisation and analysis tool for AML information analysts. As such, it is offers a solution for researching, interpreting, and displaying complex information (Fig. 14).
A software package such as iGlass is used for AML data visualisation, AML crime pattern analysis, and AML research. This software provides a powerful AML analysis package in which the AML tactical analyst researches AML data by using a combination of queries, AML graphs, and AML charts. This version can also be used on its own. The software is also used with Analyst's Notebook and AML Graphical Information System (GIS).
The software iConnect enables the so-called "live" connection between the existing AML database and the Analyst's Notebook, so that AML Link and AML Note charts can be easily generated automatically. A connection to the actual AML databases and other interesting databases can also be built (Fig. 15).
Fig. 15: Example of AML Note and Link charts for interpreting suspicious financial transactions
The software package iTel is the database system for telephone and similar data analysis. This software package links directly with Analyst's Notebook to provide sophisticated AML analytical capabilities for important telephone and similar kinds of information (Fig. 16).
Fig. 16: Example iTel charts for data analysis and presentation
AML Department Development is also preparing various profiles of money-laundering, fraud transactions, and a clear set of indicators for money-laundering activities. This is done with translated and recorded topology (for example, a profile of a money-laundering transaction) into an analytical technique, which will be used to select new transactions falling within the recorded topology. In this process, the team uses experience based on practical cases and knowledge from abroad, especially from Slovenia, Belgium, Italy, etc. The development team plan is to use new statistical and other analytical techniques to develop an AML pattern recognition technique (specific AML profiles), monitor the various transmitters of information, and control all AML processes. The AML Department and FIU receives statistical, analytical, and operative reports and, if requested, other forms of management information. This is an important part of its international activities (cooperation in Egmont Group and other countries on particular tactical AML cases and various international virtual strategic AML workshops and strategic AML analysis). It is also important to exploit special and classical Internet software solutions.
In conducting AML analysis, Croatian FIU has access to data/databases maintained by other intelligence units in our country. Data/databases are located in: Police, Customs Tax Office, Agency for Financial Transactions, Social Security, Zagreb (Croatian) Department of Interpol, Croatian National Bank, Ministry of Finance, Judicial and Law Enforcement Agencies, databases on Internet, etc. Other statistics to which the Croatian FIU has access are located in: Statistical Department of the Republic of Croatia, Financial Police, and others. These other statistics are used in preparing analysis of new information, and corrective and comparative study/analysis for legal and other financial transactions. If the reported transactions are a proportional representation of all the transactions being processed by financial institutions, the AML Department can approximate, using descriptive statistical measures (geometry, average rate in stable situations, and so on), the number of reports to expect from financial institutions. The AML Department uses strategic analysis to compile guidelines that describe what banks and other financial institutions should report. It also uses strategic analysis reports for co-operation with banks and financial industry representatives in an effort to strengthen co-operation and develop policies or programs (Fig. 17).
Many of the indicators for money-laundering activities have been developed in the AML Department to identify money-laundering operations among the many suspicious transactions reported to the FIU. All of these indicators, some from abroad, are integrated into an expert system, but some of them have not been evaluted since the Croatian FIU only become operational on December 4th, 1997. The AML Department is currently developing new rules for money-laundering profiles, as seen in cash transactions, wire transfers, bank to bank transactions, and so on. The AML Department observe the criteria and methods conducted in strategic analyst courses from Netherlands NCIS and methods from related American and European literature (crime pattern analysis, etc.). These criteria and methods are in the process of being evaluted in Croatian AML practice and Unit development. In particular AML cases, police investigators use AML strategic analysis only to prepare future actions. In some complex tactical situations the investigators use strategic analysis to identify and develop new, investigative AML profiles. It is also possible to make a AML profile based on tactical (operational) investigations, but only in combination with a global AML strategic investigation. The use of AML profiles can benefit a tactical (operational) investigation when one tactical (operational) investigation has not succeeded. Also, some statistical methods of descriptive and inherent statistics (such as trends, rates, averages/means, inherent (regression analysis) and various correlation statistical tests) can be used to compare information from different sources on an aggregated level of AML strategic analysis. Which type of regression analysis (linear, polynoom, based on averages, etc.) should be used is determined by the analyst by experience and type of analysis. But in the process of analysis, the AML analyst must use knowledge obtained from strategic analytical courses. The AML analyst can combine both types of information (transaction and person) using one statistical technique using various relative entities and relative numbers.
The parameters used to identify the transaction as money-laundering are related to the profile of financial transactions and type of business. If objective criteria do exist, they should be defined with the assistance of the FIU in order to obtain a standardised form of disclosure. The AML Department does not deal with tax evasion or other criminal activity such as fraud, etc. The Croatian FIU deals only with money-laundering activities. The AML Department uses various monitoring tools and target identification methodologies to detect money-laundering, such as: report forms for suspicious financial transactions, and programming tools for analysis (software products and applications) which deal mainly with tactical analysis or statistics. The AML Department's Development team is now using knowledge from an expert system based on artificial intelligence (CroSSFinDS). Target identification methodologies are also a part of tactical and strategic analysis. The team uses document imaging and artificial intelligence based software-applications and tools which are considered valuable for linking textual information in cases where no relational data links exist. It is also developing various AML pattern forms of anomalous behaviour of Croatian institutions, the goal being to identify financial institutions showing anomalous behaviour in their disclosure patterns. Connected to this task are: identifying high-risk geographical areas, economical sectors, and high-risk typologies of financial institutions. The team is preparing analytical and statistic-related software applications and rules for CroSSFinDS (Fig 18).
Fig. 18: A typical concept of expert system structure used in CroSSFinDS
If financial analysts perform a review of an AML disclosure, the difference between the role of financial and investigative AML analysts depends on the type of prepared analysis. The financial analysts can reconstruct the money path only in co-operation with investigative (tactical) AML analysts, and can ask for documents supporting their analysis from inherence and recommendations of investigative (tactical) analysts. The results of their work are put into quantitative data. (Fig. 12, 13, 14 and 15). Only specific financial of strategic and statistical analysis is applied to this data (financial pattern analysis, etc.). The AML Department uses predominantly standard (and only in specific situation customised) formats as feedback concerning money-laundering reports. The AML Department has a standard format and is currently developing customised feedback reports created electronically for each financial institution to deal with unusual situations. The AML Department's FIU evaluates their methods in identifying emerging money-laundering criminal activity (but no others) by measuring practical results. This system is based on strategy/cost/benefit study principles, the need to do things "in real time". The FIU collects and records information based on statutory obligation and reports prepared with additional information collected . The AML analysis is conducted using all information collected, but only information provided in the original reports is used in AML analyst-organised elicitation and briefings. Summary of AML analysis is made from any additional information collected, but in some situations there will be extrapolation with statistics of AML analysis.
Described software applications solutions for classical and intelligent systems, with Croatian Suspicious Financial Transactions Detecting (Expert) System (acronym: CROSSFINDS), were used to illustrate the informational support available to Croatian criminal intelligence analysis and AML Department activities relating to criminal intelligence analysis. These activities provide an overview of Croatian AML Department criminal intelligence analysis practice, the chronology of which is: All suspicious transaction reports received by the FIU are analysed; analysis is done systematically, and only in specific cases is AML analysis done ad hoc basis on specific subjects, institutions, or geographic locations singled out by other sources of information. The results of the early phase of development of the integrated information system for the Croatian AML Department will be used in further development of a complete and integrated application. This will also serve as an example for development of other intelligent/information systems for criminal intelligence analysis.
1. Analyst's Notebook - i2, (1998) Manual, i2 Ltd., Cambridge
2. Andrews, P., P., JR., Peterson, M., B., (1990), Criminal Intelligence Analysis, Palmer Enterprises, Loomis, California
3. Ciampicali, P., (1996). Egmont Group: Proceedings of Egmont Group. Rome: Ufficio Italiano Dei Cambi.
4. Koppe, H. (1996). Cooperation. Office for the Disclosure of unusual transactions - newsletter, KL Zoetermeer, Netherlands, No. 1, pp. 1-4.
5. Koppe, H., Broekarts, I. (1998). Virtual strategic workshop. Materials from international Internet workshop - from e-mail addresses: email@example.com and firstname.lastname@example.org, Ministry of Justice Office for the Disclosure of Unusual Transactions, KL Zoetermeer, Netherlands
6. Prevention of money-laundering act, (1997). House of representatives - Parliament of the Republic of Croatia, Ministry of Finance, Zagreb.