Case Study 4.2: Graph Analytics in Practice — Unraveling a Trade Finance Fraud Network

The Situation

Organization: Cornerstone Financial Group (fictional) Context: Cornerstone Bank NA's trade finance team suspects a cluster of import/export customers may be engaged in trade-based money laundering (TBML) Technology: Graph analytics applied to customer relationship and transaction data Perspective: Cornerstone's AML analytics team

Background

Trade-based money laundering (TBML) is one of the most sophisticated and difficult-to-detect money laundering typologies. Criminals exploit international trade transactions — import and export invoices, letters of credit, shipping documents — to move value across borders by over- or under-invoicing goods.

A $100,000 shipment of electronics might be invoiced at $200,000, with the $100,000 "surplus" effectively moving wealth across borders without triggering financial transaction reporting. The transaction looks like a legitimate trade finance transaction; the fraud is in the mismatch between the invoice value and the actual value of the goods.

Traditional transaction monitoring struggles with TBML because: - Individual transactions are legitimate and below reporting thresholds - The fraud is in the relationship between invoice amounts and goods values — cross-document, cross-party - Detection requires connecting information across customers, counterparties, and transactions that may be in different systems

Cornerstone's trade finance AML team had been observing anomalies in a cluster of import/export customers for six months without being able to articulate a clear suspicious pattern.

Building the Graph

The analytics team decided to apply graph analytics to the problem. They built a network graph with the following nodes and edges:

Nodes: - 23 US corporate customers (importers) - 15 overseas counterparties (exporters, primarily in Southeast Asia) - 34 intermediary companies identified from corporate documentation - 8 individual directors/shareholders from beneficial ownership records

Edges: - Payment flows (US customer → overseas counterparty) - Shared beneficial ownership (same individual controls multiple companies) - Common addresses (multiple companies at same address) - Common phone numbers / email domains - Shared bank accounts (payment routing through same intermediary accounts)

import networkx as nx
import pandas as pd

# Load entity and relationship data
entities = pd.read_csv('entities.csv')        # nodes
relationships = pd.read_csv('relationships.csv')  # edges

# Build directed graph
G = nx.DiGraph()

# Add nodes with attributes
for _, entity in entities.iterrows():
    G.add_node(entity['id'],
               entity_type=entity['type'],
               country=entity['country'],
               risk_score=entity['risk_score'])

# Add edges with relationship type
for _, rel in relationships.iterrows():
    G.add_edge(rel['source'],
               rel['target'],
               relationship_type=rel['type'],
               weight=rel.get('amount', 1))

# Find strongly connected components
# (groups of nodes that are mutually reachable)
components = list(nx.strongly_connected_components(G))
large_components = [c for c in components if len(c) > 3]

print(f"Network has {G.number_of_nodes()} nodes, {G.number_of_edges()} edges")
print(f"Found {len(large_components)} significant connected components")

# Identify nodes with unusually high centrality
# (nodes that many other nodes route through — potential intermediaries)
betweenness = nx.betweenness_centrality(G)
top_intermediaries = sorted(betweenness.items(),
                           key=lambda x: x[1],
                           reverse=True)[:5]

print("\nTop intermediary nodes (potential hub entities):")
for node_id, centrality in top_intermediaries:
    node_attrs = G.nodes[node_id]
    print(f"  Node {node_id}: {node_attrs.get('entity_type')} "
          f"({node_attrs.get('country')}) — "
          f"Centrality: {centrality:.3f}")

What the Graph Revealed

The network graph immediately revealed patterns that were not visible in the transaction data:

Finding 1: Hidden beneficial ownership Three of the US importers, two of the overseas exporters, and four of the intermediary companies shared a common beneficial owner — a single individual whose name appeared as a director in 9 of the 30+ entities in the network. This connection was invisible in transaction monitoring, because each entity was a separate legal person. In the graph, the shared controller was immediately obvious as a hub node with high betweenness centrality.

Finding 2: Circular payment flows The graph revealed that payment flows from Cornerstone customers to overseas counterparties were returning, via a chain of intermediary companies, to accounts connected to the same beneficial owner in the US. The pattern: US customer pays overseas counterparty → payment flows through chain of intermediaries → funds arrive at US-based accounts connected to the same controller.

This circular flow was a strong indicator of TBML: the "international trade" was generating funds that were ultimately returning to the originating jurisdiction, laundered through the appearance of legitimate commercial activity.

Finding 3: Invoice value anomalies Cross-referencing the transaction amounts with publicly available international trade pricing data, the analytics team found that 17 of the 38 import transactions had invoice values 40-80% higher than the international market rate for the declared goods. This over-invoicing pattern is the mechanism of TBML: the importers were paying inflated invoices, with the excess representing value transfer.

The Disclosure Decision

The analytics team brought their findings to the Chief AML Officer, who faced a disclosure decision:

File a SAR immediately on all affected accounts?
Investigate further to strengthen the SAR narrative?
Engage with law enforcement proactively?
Consider whether the tipping-off prohibition constrained customer communication?

The team chose a phased approach: 1. Enhanced monitoring on all accounts in the network immediately 2. Thirty days of additional investigation to strengthen the narrative with specific transaction examples and invoice analysis 3. SAR filing covering the full network with supporting graph visualization 4. No customer communication (tipping-off prohibition) 5. Voluntary disclosure to FinCEN that Cornerstone had identified a potential TBML network and was cooperating

The SAR was filed. FinCEN, in the subsequent months, coordinated with Customs and Border Protection and Homeland Security Investigations. The ultimate outcome is sealed as part of an ongoing investigation.

The Technology Insight

The TBML network was invisible to: - Transaction monitoring (each transaction was below thresholds, individually unremarkable) - Sanctions screening (none of the entities were on any list) - Standard KYC (each entity had been individually verified)

It was visible only when you looked at the relationships between entities simultaneously — which is precisely what graph analytics does.

This case illustrates why graph analytics has become a priority investment area for sophisticated AML programs, and why FinCEN's 2021 AML National Priorities explicitly called out complex transaction structures and trade-based money laundering as areas requiring enhanced focus.

Discussion Questions

1. The TBML scheme was structured as multiple separate entities with individual KYC verification. What changes to the KYC process might have surfaced the beneficial ownership connection earlier? What are the practical constraints on those changes?

2. The analytics team chose a phased approach (30 days of investigation before SAR filing). What is the regulatory basis for this approach? Are there circumstances where immediate SAR filing would have been required?

3. Graph analytics reveals patterns in existing data. The data itself was already available in Cornerstone's systems. Why had the pattern not been detected before the graph analysis? What organizational or technical barriers prevented earlier detection?

4. Invoice value analysis required comparing declared invoice amounts to international market prices. What data sources would support this analysis? What are the limitations of using public price data for this purpose?

5. The case illustrates three TBML indicators: hidden beneficial ownership, circular payment flows, and invoice over-valuation. Design a rule-based monitoring approach that would flag each indicator. What are the limitations of the rules-based approach vs. the graph analytics approach for each?