Innovative Technology

Ultrascan Financial Intelligence Unit


The algorithm example used in this report is also called an exemplary embodiment which is simply put, the preferred example.
It is just another terminology for “example” but specifically used when referring to a patent. This Anti Money Laundering, AML, system has been chosen to represent how an AML monitoring system should function.
There may be variations within other systems but essentially, this is how they should all work. It can be taken that this is an exemplary embodiment and a template for electronic payment card monitoring system to combat money laundering.
The original abstract and full paper will be attached to this intelligence briefing for reflective purposes. This briefing will explain in a simplified manner how the detection system functions and always attempt to present it from a practitioner’s perspective not an academic manner. All superfluous and pretentious jargon will be discarded.


This system functions by receiving real-time data when a card is used. 

An ingress channel is simply another word for money going in via a payment system.
An egress channel simply put is money going out through another channel.

All payment systems use a first Application Programming Interface (API). An API is the way for an application to interact with certain systems, images and databases etc. Its how software components should interact. A good API provides all the components/building blocks for a programmer to develop a program. In our case, it helps to identify the credit cards, debit cards used by the criminals we are chasing.

This generates a transactional profile for each card, the ingress channel, the egress channels and the funding sources of the payment cards.

What happens is that in response to receiving transaction data for a payment (in or out) the data is analysed by a predictive algorithm.

This compares the data to the transactional profiles to calculate a probable money laundering score.

It then uses the transaction data based on a set of rules to generate a suspicious activity report (SAR)

This recommends whether to approve or report the current transaction by transmitting the (SAR) back to the payment card system. And transmitting the SAR to an identified regulatory body.

The AML system can track funds/money/cash movements to other electronic payment cards (EPCs) and exit/egress channels. It functions by monitoring money movements (in and out) in real-time of EPCs across multiple channels. The system is capable of dynamic updating of AML to keep up with current trends of AML by real-time feedback incidents of known money laundering behaviour. Self-learning money laundering prediction algorithms use this feedback to adjust (tweak) the algorithms to keep up with the latest trends and patterns in money laundering behaviour.

Figure 1 , shows a conventional electronic payments system (EPM). It has multiple channels for the money launderer to pay in (ingress) and equally multiple channels for the criminal to withdraw money (egress) . Cash is paid into 5 potential entry points: payroll (1.2) fake (shell) companies using electronic payment cards for payroll disbursements

• 1.21 Tracks mobile phone payments
• 1.22 Tracks funds added at an Automated Teller System (ATM)
• 1.23 Tracks physical face to face sales at a POS or via a physically present agent
• 1.24 Tracks merchant cards used at a merchant shop in a mall or a construction retail outlet such as paints, bricks and mortar, plumbing supplies etc. These would be hard to trace because once the purchased equipment leaves the POS the items have been incorporated into a physical building. These are also known as fake incentive cards
• 1.1 are the ingress funding sources point where funds can be introduced into the system, typically cash

The egress channels

Simply means the methods and channels used to extract the funds at the other end, where the funds are then laundered:
• 1.41 using the web to purchase goods
• 1.42 using the mobile phone to buy items that can be easily sold for cash
• 1.43 is using the ATM system to transfer cash/funds to other accounts and purchasing digital goods
• 1.4 to withdraw cash and purchase fencible goods
Each of the channels 1.2 to 1.4 are distinctly different with different levels of difficulty in converting the laundered funds back to cash.

Figure 2 is an overview of the exemplary embodiment (specific example for this AML)

It demonstrates how the components of the AML system updates itself via dynamic real-time scenario. This is successfully undertaken by identifying laundered money entering and exiting an electronic payment card system via multiple channels of ingress and egress. This generates the SAR (Suspicious Activity Report)

Figure 3 Is an explanation via graphics that interact with each other to describe the processing undertaken by the AML system using its set rules that link the various networks with ingress and egress channels. The funding sources are cross-connected with electronic payment cards to calculate possible negative scores for a card transaction in one embodiment (just means using one example of the AML system).

N1 Describes customer ingress network around a pre-paid card and the N1 network has “geo-location discrepancies between the customer geo-location and the ingress channel geo-location because the customer is using a pre-paid card.”
This is important because the customer has a Zip code (Post code) of 19380 but the customer has an IP address indicating the customer is in Zip code 94301. To support this transaction as a SAR, networks N2 and N3 are also linked to the pre-paid card via the egress channels of a web retailer (EC 1) and an ATM (EC 3) have a history of known “bad cards” (cards already flagged up as suspicious card, possible ML usage) depicted as 1, 4 and 2.
By using the network statistics of 1, 2 and 3, plus the AML rules component 2.5 there is a high certainty that pre-paid card 7 is being used for ML.

Figure 4 describes the process the profile module of the AML monitoring component 2.3 that creates and stores transactional usage patterns

This transaction data enters the system number 2 via data transfer from API 2.2 (Application Programming Interface 2) via data transfer API payload 4.1. Simply put, there are three transactions for payment card 1. The first transaction shows a funding transaction and the other two transactions are buying transactions. All transactions are indicating that the relevant ingress and egress channels and reveal the funding source. Finally, the AML monitoring component stores the transactions used by each profile from the time 4,2 as shown. This enables the regulator or AML agent to keep monitoring the card in real-time and act when necessary. The funds move onto an electronic payment card, even if this happens simultaneously, across multiple channels and multiple funding sources and the AML system process examines all the ingress channels simultaneously and evaluates the ML risk on the cards and the individual ingress channel.

Figure 5 simply shows the process for evaluating ML funds entering an electronic payment card across multiple channels.

Evaluation begins when the AML system 5.4 receives a request for moving funds in 5.3 from the payment system 1. This funding source is usually cash 5.1 and may enter via any of the incoming egress channels 5.21 to 5.25

The AML system, 5.4, uses real-time transaction data from the request and updates, or creates profiles for the specified user, the ingress channel and the payment card as depicted in figure 5. This results in the transaction being tagged with a probabilistic scoring that indicates a level of potential ML risks. This transaction and profile are moved onto an AML SAR generation component which evaluates the score, the user, the channel and payment card based on a set of heuristic (enabling the human to learn by themselves or machine to learn by set rules in a program) rules. If the score is below a threshold, then the AML system kicks in and chooses which regulatory body to inform.

The following figures are just an explanation of how the AML system functions

The main points have been covered but however, a concise description of the remaining figures will be given

Figure 6 simply demonstrates the fundamental process for the evaluation of money laundering exiting from an electronic payment

Each step of the ML transaction is covered from when the payments system 1 transmits a funds out request to the AML system 6.2.
The outgoing channels 6.61 to 6.65 are the egress points.
The AML system, 6.2, evaluates the transaction in real-time and updates or if necessary, creates a profile for the user, the card and egress channel.
The transaction is then passed on to AML rules component, 6.3, which uses one of many self-learning predictive algorithms in the blocks, 6.31 to 6.34. This then generates a probabilistic money laundering score level.

Figure 7 functions on a similar basis to figure 6, except it traces funds moving across multiple electronic payment cards

The movement of funds can be made opaque by moving funds between cards, “obfuscating the movement of money.”
This is overcome when the AML system receives a request from the payment system, 2, a funds transfer request from component 7.2 on behalf of payment card 11. Then the AML system kicks in and using real-time evaluates the transaction and updates or creates profiles for the user, the channel and the funding source.
The transaction is then passed along to the AML rules component 7.3, where the transaction is scored for possible money laundering using one of the many predictive algorithms. Finally, the transaction is then passed along to the SAR generating component

Figure 8 is simply a description of how laundered money movement is monitored.

Specifically, how laundered money is traced when its moved across multiple electronic payment cards. This is achieved by using geo-locations as examples to create links between SV/PP (Stored value/prepaid) cards to generate SARs.

Example: AML system 8.6, uses location based on IP addresses to link all the SV/PP cards.

Card 1 and Card 2 use IP1 within 5 minutes of each other to move funds to Card21 via the lines 8.2

Card 3 and Card 4 to Card n, from different locations move funds to Card 31 via lines 8.4

Both Card 31 and Card 41 (Line 8.5) move funds to Card 51 using lines 8.6 and 8.5.

Then Card 51 tries to extract from the system using IP1. Subsequently, all Cards 1 to n, Card 21, Card 31, Card 41 and Card 51 are now linked via the IP address.

This in turn triggers a SAR (using the component in Block 8.7) to the relevant regulatory agency in Block 8.62.

Figure 9 is just another example of monitoring the movement of laundered funds across multiple electronic payment cards. Again, using location to create links between SV/PP Cards to create and generate SARs.

This example creates a situation where multiple cards are purchased from the same location and money is withdrawn from the cards via an ATM, 9.3, which is at a different location.

As in the Figure 8 previously, geographic location is used to link all the SV/PP Cards.

Money is loaded onto Card 1 through Card n within the same Zip (Postal) code.

Zip 1 is shown at 9.1. The AML system, 9.6, calculates the number and speed of card purchases by geography and tags the transactions if the velocity is over a certain threshold in block 9.4. Further activity on this particular group of cards is monitored.

Because this group of cards withdraw money using the same ATM, located in another country, the AML system, 9.6, triggers the generation of a SAR in Block 9.51.

Figure 10 is simply a basic diagram that is an example of flagging suspicious activity via IP addresses

Example: Card 1 is loaded from an IP address, IP1, and is linked to the AML system 10.6 and to all other cards associated with the IP address IP1via line 10.1.

If 5 of the 7 cards associated with IP address IP1 are tagged as suspicious previously via lines 10.2 and 10.3. Because the SAR rate for IP1 was 71% (very high) SAR generation is triggered for Card 1 and Card 1 is flagged for further monitoring.

Researched by A. Lehal for Ultrascan Humint

Innovative Technology

Ultrascan FIU Mobile Money Laundering Threats

Introduction to the concept of Anti-Money Laundering


- Anti-Money Laundering (AML) and dismantling terror financing networks by exclusion from the mobile banking system
- The Alleged Threat of Mobile Money
- An important factor within money is micro-structuring also known as “smurfing”
- Further challenges for law enforcement
- The threats of mobile money

Innovative Technology


The algorithm example used in this report is also called an exemplary embodiment which is simply put, the preferred example. It is just another terminology for “example” but specifically used when referring to a patent. This Anti Money Laundering, AML, system has been chosen to represent how an AML monitoring system should function.

Ultrascan FIU Ingres Egress
Developing countries and the reforms

Developing countries and the reforms 2019

A fragile institutional environment can lead to heightened corruption:

• This can enable and lead to increasing corruption
• Which in turn can enable money laundering through illicit cash flows
• Which then divert and starve funds of developing economies that are already cash poor and suffer from capital-starvation.

The true cost of money laundering

AML Intelligence Briefing

The amount of money that is laundered annually is of truly colossal proportions. ML poses an existential threat to all countries. It warrants and demands thorough oversight and a transnational prevention strategy. The UK’s National Crime Agency (NCA) calculated recently, “hundreds of billions of pounds are laundered through UK banks each year.”

Money Laundering Centre

Copyright 2019 Ultrascan FIU - All Rights Reserved