BankShield | Collusion-Aware Fraud Intelligence Engine

The Collusion Blindspot

Traditional systems operate in silos. They miss the crucial link between suspicious employee behavior and anomalous fund flows.

Current Siloed Systems

Isolated AML Rules Flags transactions only if they breach static thresholds ($10k+).
Disconnected IAM Logs Employee off-hours access is logged but rarely correlated with customer fund movement.
Result: High False Negatives Insiders helping fraudsters bypass standard checks go entirely unnoticed until the audit.

BankShield Unified Engine

Graph-Based Transaction Tracking Analyzes multi-hop layering and complex network patterns using graph intelligence.
Behavioral Anomaly Detection Profiles every employee to flag unusual access patterns in real-time.
Collusion Intelligence Matrix Mathematically correlates insider anomalies with external fund flows to generate a unified risk score.

System Architecture & Data Flow

Interactive Diagram: Click any layer to understand the underlying mechanics.

%%{init: {'theme': 'dark', 'themeVariables': { 'primaryColor': '#111827', 'primaryTextColor': '#fff', 'primaryBorderColor': '#3b82f6', 'lineColor': '#8b5cf6', 'fontFamily': 'Inter' }}}%% graph TD subgraph Data Sources A[Core Banking
Transactions]:::source B[Active Directory
Employee Logs]:::source end subgraph BankShield AI Engine C{Feature Engineering
Layer}:::engine D[Transaction Graph Risk
XGBoost Model]:::model E[Insider Behavioral Anomaly
Isolation Forest]:::model F((Collusion Correlation
Intelligence Layer)):::core end subgraph Output G[Unified Risk Scoring]:::output H[Investigation Dashboard]:::output end A -->|Kafka Stream| C B -->|Kafka Stream| C C -->|Graph Features| D C -->|Session Features| E D -->|Account Risk %| F E -->|Insider Risk %| F F -->|Multiplier Matrix| G G -->|Alerting| H click A "javascript:showArchDetail('source_tx')" "View Detail" click B "javascript:showArchDetail('source_log')" "View Detail" click C "javascript:showArchDetail('feature')" "View Detail" click D "javascript:showArchDetail('tx_model')" "View Detail" click E "javascript:showArchDetail('emp_model')" "View Detail" click F "javascript:showArchDetail('collusion')" "View Detail" click G "javascript:showArchDetail('scoring')" "View Detail" classDef source fill:#1e293b,stroke:#64748b,stroke-width:2px,rx:5px,ry:5px; classDef engine fill:#0f172a,stroke:#3b82f6,stroke-width:2px,rx:5px,ry:5px; classDef model fill:#1e1b4b,stroke:#8b5cf6,stroke-width:2px,rx:5px,ry:5px; classDef core fill:#4c1d95,stroke:#c084fc,stroke-width:3px,rx:50px,ry:50px,shadow:10px; classDef output fill:#064e3b,stroke:#10b981,stroke-width:2px,rx:5px,ry:5px;

Click a module in the diagram to view technical details.

Dual Intelligence Models

Transaction Risk Model XGBoost Classifier

Extracts complex topological features from account transfer graphs. Evaluates degree centrality, structuring velocity, and rapid dormant-to-active state changes.

Input: Amount, Node_Degree, Time_Delta, Dormancy_Flag

Insider Behavioral Anomaly Isolation Forest

Profiles standard operating procedures per employee. Detects non-standard IP logins, off-hours DB queries, and unauthorized account state modifications.

Input: Login_Hour, IP_Subnet, Target_Account, Action_Type

Correlation Logic Engine Heuristic Multiplier

If an employee with a high anomaly score interacts with an account that shortly after triggers a transaction anomaly, the base risk is exponentially multiplied.

Score = (Tx_Risk * Emp_Risk) ^ 1.5

Transaction Feature Importance

Live Scenario Simulation

Case Study: Insider reactivates a dormant account to facilitate structured layering.

Event Timeline

0

System Idle

Monitoring normal traffic.

1

Insider Action

Emp_402 accesses dormant Acc_A at 03:14 AM.

2

Transaction

Acc_A transfers $49,500 to Acc_B.

3

Collusion Flag

Acc_B splits funds to Acc_C/D. Engine alerts!

Unified Risk Score

03%

Terminal Output

> BankShield Engine Initialized...

> Listening for streams...

Technology Stack

FastAPI

High-perf Backend

XGBoost & I-Forest

ML Engine

NetworkX

Graph Processing

Vanilla JS + GSAP

Dynamic Frontend

PostgreSQL

Relational Store

Docker

Containerization

Execution Roadmap

Phase 1: MVP Architecture

Develop synthetic dataset generator. Build core XGBoost transaction model and simple heuristic insider scoring. FastAPI backend integration.

Phase 2: Graph & Behavioral

Integrate NetworkX for layering detection. Train Isolation Forest on employee logs. Wire the Collusion Correlation module.

Phase 3: Real-time Scale (Future)

Migrate batch to Kafka Streams. Implement Graph Neural Networks (GNN) for deeper topology discovery.

Detect the Invisible Threat inside your bank.