Object	Operation species	Operational motion	Combination of actions	Key element	There is risk
Object	Operation species	Operational motion	Combination of actions	Key element	There is risk	The teller
Account						The teller

Object	Operation species	Operational motion	Combination of actions	Key element	There is risk
Object	Operation species	Operational motion	Combination of actions	Key element	There is risk	Cash box
The site						Cash box

The object of operational risk mainly contains:

Teller: refer to single cabinet dough figurine person, a plurality of cabinet dough figurine persons; Can be divided into retail trade and accounting event again.

Account: refer to common bankbook account, fixed deposit certificate account, all-purpose card account, credit card, to public account, credit account etc.

Cash box: the cash cash box in the cabinet face personnel hand

Site: refer to personnel, subject, cash of whole site etc.

Object	Operation species	Operational motion	Combination of actions	Key element	There is risk
Object	Operation species	Operational motion	Combination of actions	Key element	There is risk	The teller	Class of operation	Login
		Nullify				The teller	Class of operation	Login
		Nullify						Password
		Authority						Password
		Authority						State
	No account trading class	Collecting business						State
	No account trading class	Collecting business				Account	Class of operation	Open an account
		Cancellation				Account	Class of operation	Open an account
		Cancellation						Inquiry
		Report the loss						Inquiry
		Report the loss						Freeze, thaw
		Password						Freeze, thaw
		Password						Change folding

Object	Operation species	Operational motion	Combination of actions	Key element	There is risk
Object	Operation species	Operational motion	Combination of actions	Key element	There is risk	Service class	Deposit
		Withdraw the money				Service class	Deposit
		Withdraw the money					The class of business change
		The deposit receipt hypothecated loan					The class of business change
		The deposit receipt hypothecated loan					Transfer accounts
		Withhold					Transfer accounts

Behind the clear and definite above object, need classify to all operations of each object and gather, carry out labor at every kind of operation then.

The teller

Class of operation: state: the state of job number is normal, cancellation etc.; Login: the time of login, place (site, terminal), number of times; Nullify: the time of cancellation, place, number of times; Password: length, complexity, initialization password and authority etc.

No account trading class, collecting business ().

Account

Class of operation: open an account; Cancellation; Inquiry; Report the loss; Freeze, thaw; Password (set up password, revise password); Change folding.

Service class: deposit (by the class of business branch); Withdraw the money; Class of business change: regularly change current; The deposit receipt mortgage loan; Transfer accounts.

With reference to Fig. 6 is real-time controlling models synoptic diagram in the monitoring model of the present invention, controlling models is wanted exactly and can be participated in real time in the process of exchange in real time, so at process of exchange in order to satisfy the requirement of efficient, big data quantity or unusual complex calculations can not appear, so in real time controlling models is compiled in the object behavior pattern behavior of the easiest judgement, all real-time controlling models all must satisfy the most basic mathematical computational requirements.

Real-time model mainly is the single business to be carried out rule limit, and this model only need do that simple mathematical is calculated and restrictive condition just can be obtained a result to key message wherein.Resource needed is considerably less in this model running process, can count the reason data in real time, and is regular as following monitoring:

To the ta vservice of centimetre family more than or equal to 1,000,000 yuans;

Savings branch family deposits business in more than or equal to 200,000 yuans cash;

Business is drawn more than or equal to 200,000 yuans cash in savings branch family;

The centimetre family is deposited in business more than or equal to 200,000 yuans cash;

Business is drawn more than or equal to 200,000 yuans cash in the centimetre family;

Cash on bank more than or equal to 200,000 yuans;

Savings divide the family more than or equal to 200,000 yuans ta vservice;

Individual bank bill business more than or equal to 200,000 Renminbi.

The mathematic calculation of real-time controlling models:

Arithmetic :+,-, *;

Character string: substring, length, key word;

Formula of mathematical: ABS, get remainder, decimal place etc.;

The date type calculates: get year, get the moon, get day, time range;

Logical expression: null, if then else etc.

With reference to Fig. 7 is regular traffic monitoring model schematic flow sheet of the present invention, and the regular traffic model mainly is to carry out the monitoring model that complex statistics is handled at many notes records.And this health model need be analyzed comparison to the mode that a certain object behavior pattern is carried out multiple angles, multiple combination, just can calculate whether there are abnormal conditions then.

The main method of regular traffic monitoring model:

Canonical function: select that row, row rename, expression formula, calculate by Field Sanitization and grouping.

Professional function: subject is checked changeing, pairing is searched in counterbalanced accounts transaction pairing, condition time, the inquiry of client's interlock account, track of issues, relatively average balance, moving average remaining sum, get standard interest rate, get standard rate, search corresponding constraint subject, the account searches card folding, block to roll over and search the account and get account data or the like.

With reference to Fig. 8 is abnormal traffic monitoring model synoptic diagram of the present invention, and the monitoring exceptional service model mainly is that teller, client, account, transaction that abnormal conditions take place are monitored, and belongs to comprising in the monitoring exceptional service scope:

Long-term idle account starts suddenly, and whether monitoring account is follow-up has wholesale or abnormal transaction to take place;

Frozen Account is thawed: whether monitoring account is follow-up transaction, a situation that whether exists the fund wholesale to remit back;

Teller's non operation time lands: after monitoring this teller and landing, what operation etc. was arranged in a period of time before the business hours begin.

The abnormal traffic monitoring model mainly is divided into two big classes:

Generate the abnormal monitoring object: this class model mainly is that this object has just belonged to monitoring target after judging which object behavior takes place, and can write down these to liking the unusual concern that causes owing to which behavior.Such as: the client of the teller that non operation time lands, the number of the account of thawing in advance, large-denomination time deposits etc.

The abnormal traffic monitoring: the abnormal traffic monitoring, whether judge in the follow-up business transaction has abnormal conditions to take place, and this exchange referent produces in all preceding model I, therefore two class monitoring models are complementary.Comprise teller's operation, the transaction of account and client's action.

With reference to Fig. 9 is the feature of the present invention analytical model synoptic diagram that adds up, the feature analytical model that adds up is a basic model in the monitoring model, what analytical model was described is the rule that is hidden in the data depths, this model analysis be teller, client, account behavioural characteristic, monitor out the trading activity of running counter to this feature by other models then.And this behavioural characteristic the most difficult discovery often.

Illustrate: client's operational characteristics just can be described with the clients fund behavioural characteristic, feature adds up and analyzes according to set business objective, and hiding regularity is wherein explored, disclosed to a large amount of business data also further with it modeled advanced person, effective method.

The feature function that analytical model can finish that adds up has: feature and trend that data are hidden are behind analyzed; The modeling function of analysis is provided; Not only can do trend analysis, can also be to predicting in the future; Can explain the reason that takes place and finish the conversion of data to knowledge.

Feature adds up to analyze and can form following knowledge from data: extential form knowledge, the knowledge of reflection things of the like description common property; Tag type knowledge, the feature knowledge of reflection things each side; Difference type knowledge, other knowledge of attribute difference between the reflection different things; Related type knowledge relies on or related knowledge between the reflection things; Forecasting type knowledge is according to the following data of data-speculative history and current; Depart from type knowledge, disclose things and depart from conventional abnormal occurrence.

The feature analytical model that adds up mainly contains following analytical approach:

Classification

The purpose of classification is classification function of association or disaggregated model (also being often referred to as sorter), and this model can be mapped to the data item in the database some in the given classification.Classification and recurrence all can be used for prediction.The purpose of prediction is to derive automatically the popularization of giving given data is described from utilize the historical data record, thereby can predict following data.Different with homing method is, the output of classification is the classification value that disperses, and the output that returns then is serial number.

Want the structural classification device, need a training sample data collection as input.Training set is made of one group of data-base recording or tuple, and each tuple is a proper vector of being made up of relevant field (claiming attribute or feature again) value, and in addition, training sample also has a classification mark.The form of a concrete sample can be: (v1, v2 ..., vn; C); Wherein vi represents field value.

The building method of sorter has statistical method, machine learning method, neural net method or the like.Statistical method comprises Bayes's method and nonparametric method (neighbour's study or based on the study of example), and the corresponding representation of knowledge then is discriminant function and prototype example.Machine learning method comprises decision tree method and rule induction method, the former correspondence be expressed as decision tree or discrimination tree, the latter then is generally production rule.Neural net method mainly is the BP algorithm, and its model representation is feed-forward neural network model (by a kind of architecture of representing the neuronic node and the limit of representative connection weights to form), and the BP algorithm is a kind of Nonlinear Discriminant Function in essence.

Cluster

Cluster is that one group of individuality is returned into some classifications according to similarity, i.e. " things of a kind come together, people of a mind fall into the same group ".Its purpose is to make that the distance between the individuality that belongs to same classification is as much as possible little, and the distance between the individuality on different classes of is big as much as possible.Clustering method comprises the method for statistical method, machine learning method, neural net method and data base-oriented.

In statistical method, cluster claims cluster analysis, and it is one of three big methods of multivariate data analysis (other two kinds is regretional analysis and discriminatory analysis).It mainly studies the cluster based on geometric distance, as Euclidean distance, bright Cowes cardinal distance from etc.Traditional statistics clustering method comprises hierarchical clustering method, decomposition method, addition method, dynamic clustering method, clustering ordered samples, overlapping cluster and fuzzy clustering etc. is arranged.This clustering method is a kind of based on overall situation cluster relatively, and it need investigate the division that all individualities could determine class.

Cluster is called in machine learning does not have supervision or does not have teacher's conclusion; Because compare with classification learning, the example of classification learning or data object have the classification mark, the example of cluster then not have mark, need be determined automatically by the clustering learning algorithm.The distance here no longer is the geometric distance in the statistical method, but determine according to the description of notion.When the cluster object can dynamically increase, conceptual clustering then claimed it is that notion forms.

In neural network, a class unsupervised learning method is arranged: the self organizing neural network method; As Kohonen s self-organizing feature map network, competitive learning network or the like.

Associated rule discovery

Correlation rule is the following a kind of rule of form, " in the client who buys bread and butter, having 90% people also to buy milk simultaneously ".By historical Transaction Information is analyzed, can provide extremely valuable information to user's consumer behavior, as cross-selling etc.

Correlation rule has following form:

If I={i1, i2 ..., im} is one group of article collection (article in a market has up to ten thousand kinds), D is one group of affairs collection (being referred to as transaction database).Each affairs T among the D is one group of article, obviously satisfy T? I.Claim affairs T to support article collection X, if X? T.Is correlation rule that a kind of of following form contained: X → Y, wherein X? I, Y? I, and X ∩ Y=f.

(1) claims article collection X to have size and be the support of s, if there are the affairs of s% to support article collection X among the D;

(2) claim correlation rule X → Y in transaction database D, to have size and be the support of s, if the support of article collection X ∪ Y is s;

(3) claim regular X → Y in transaction database D, to have size and be the confidence level of c, if having the affairs of c% also to support article collection Y simultaneously in the affairs of support article collection X among the D.

If do not consider the support and the confidence level of correlation rule, in transaction database, there are infinite many correlation rules so.In fact, people are general only interested in the correlation rule that satisfies certain support and confidence level.In order to find out significant correlation rule, need given two threshold values: minimum support and minimum confidence level.The former is the minimum support that user-defined correlation rule must satisfy, and it has represented the minimum level that the need of one group of article collection on statistical significance satisfy; The latter is the minimum confidence level that user-defined correlation rule must satisfy, and it has reacted the lowest reliable degree of correlation rule.

The feature Data Mining Tools that analytical model is used that adds up provides the abundant algorithm and the realization of various technology, these algorithms all pass through the test of a lot of systems, all has very strong advantage from correctness, efficient and stable aspect, the ripe algorithm that utilizes Data Mining Tools to provide is placed on energy to the understanding of business with above the modeling.

According to the characteristics of Risk-warning and business rule, threshold values is divided into four types comprises:

Basis monocular: the corresponding value of parameter.This type threshold values mostly is the amount of money, frequency type, use the most extensive, for example: " personal account odd-numbered day accumulative total draw the amount of money reach set more than the amount of money ", set the amount of money herein and promptly can be extracted into a basic monocular parameter.This class parameter can be set different parameter values according to different institutions, can solve the areal variation problem that same early warning rule faces.

Basis binocular: corresponding two values of parameter.This type threshold values is used for interval class parameter more, individual rule can be used, and also available two basic monocular parameters substitute, for example: " teller of super business hours work ", working time is divided into work hours and quitting time herein, promptly can extract a basic binocular parameter.This class parameter can be set different parameter values according to different institutions, can solve the areal variation problem that same early warning rule faces.For example above-mentioned rule, the commuter time of the branch bank that each is regional may not be in full accord, therefore need parameter be set respectively according to actual conditions.

The tabulation monocular: the corresponding class value of parameter, the number of value is uncertain.This type parameter is used for type parameters such as subject, transaction code, professional code name more, use extensively, for example: " inner account (comprising profit and loss class account) is used 1622,1631,1613,1103 transaction operations " wherein transaction code may change along with the development of business, but increase or subtract not necessarily, once it is extracted into a tabulation monocular parameter.This type parameter be professional decision itself arranged do not have an areal variation, therefore only need the unified threshold values of setting of head office to get final product.

The tabulation binocular: corresponding two class values of parameter, the number of value is uncertain.It is not extensive that this type parameter uses, and can be used for parameter value in the A group, but special circumstances in the B group not, and adopting this type parameter can remedy data can't be accurate and the situation of differentiation.

Based on the risk monitoring and control process synoptic diagram of business model, key step comprises:

Provide in real time, quasi real time, multiple monitoring technology means such as batch processing, periodic analysis afterwards, realize the collection of business datum and catching of risk point;

Sample according to the tabulation of type of service (wherein having comprised the cross dimension risk point) risk point:

Provide risk indicator to quantize system, can carry out effective recognition and quantification risk point based on KRI (key risk index);

Risk monitoring and warning pattern based on real-time monitoring model, regular traffic model, abnormal traffic model and accumulation characteristic model is provided, thereby reaches risk monitoring the behavior pattern and the accumulation feature of perpetual objects such as client, account, teller;

Utilize rule engine technique that risk quantification index and early-warning parameters index are carried out flexible configuration, realize the rule condition customization of Early-warning Model, thereby risk is carried out automatic early-warning;

Provide the risk verification model of flexible customization, the autonomous detecting of carrying out risk for the user the supply a model environment and the instrument of configuration and model test;

At unusual transaction and suspicious actions, provide integrated risk treatment schemees such as risk monitoring, Risk-warning, investigation and analysis, tracking processing, case management and risk report;

For the Risk-warning monitored results, risk assessment is provided and carries out statistical study.

Every kind of situation is analyzed, is found out possible risk:

Estimated risk need be analyzed, classify according to following estimated risk matrix, lists the assessment result table:

Combination of actions	There is risk	Risk class	Occurrence frequency	Risk level
Combination of actions	There is risk	Risk class	Occurrence frequency	Risk level	Login	Non-working time	The C of moderate	Contingent B	Excessive risk

Combination of actions	There is risk	Risk class	Occurrence frequency	Risk level
Combination of actions	There is risk	Risk class	Occurrence frequency	Risk level		Inoperative place or terminal; Two places are logined simultaneously	The C of moderate	Contingent B	Excessive risk
	Repeatedly login	The C of moderate	Contingent B	Excessive risk			The C of moderate	Contingent B	Excessive risk
	Repeatedly login	The C of moderate	Contingent B	Excessive risk	Login-cancellation	Non-working time (usurping)	Key B	Contingency C	The moderate risk
	Inoperative place or terminal (usurping)	Key B	Contingency C	The moderate risk	Login-cancellation	Non-working time (usurping)	Key B	Contingency C	The moderate risk
	Inoperative place or terminal (usurping)	Key B	Contingency C	The moderate risk		Too short (usurping) at interval	The C of moderate	Contingency C	The moderate risk
Login-open an account	Non-working time (illusory account)	Key B	Contingent B	Excessive risk		Too short (usurping) at interval	The C of moderate	Contingency C	The moderate risk
Login-open an account	Non-working time (illusory account)	Key B	Contingent B	Excessive risk		Inoperative place (illusory account)	Key B	Contingent B	Excessive risk
	Open an account (illusory) often	Key B	Contingency C	The moderate risk		Inoperative place (illusory account)	Key B	Contingent B	Excessive risk
	Open an account (illusory) often	Key B	Contingency C	The moderate risk		The amount of money of opening an account is (void is deposited) greatly	The C of moderate	Contingency C	The moderate risk
Open an account	Frequently (illusory account)	The C of moderate	Contingency C	The moderate risk			The C of moderate	Contingency C	The moderate risk
Open an account	Frequently (illusory account)	The C of moderate	Contingency C	The moderate risk		Same client disperses to open an account (illusory account)	The C of moderate	Contingent B	Excessive risk
	The same client number of times too much (illusory account) of opening an account	The C of moderate	Contingent B	Excessive risk		Same client disperses to open an account (illusory account)	The C of moderate	Contingent B	Excessive risk

With reference to Figure 10 is systemic-function Organization Chart of the present invention, and system has functions such as data acquisition, risk monitoring, Risk-warning, case management, investigation and analysis, information inquiry, risk report, work statistic, regulation management, parameter configuration and system management.Simultaneously, can utilize the WebService interface to conduct interviews for shared data (image data and operational monitoring data); Can call by application interface for interactive information (mail, short message).The system logic level is divided, and comprising:

The business datum layer refers to that mainly the original business datum of native system is originated, and is not the native system internal data.Business datum mainly comes from existing: core business system (Tuxedo), service set system, data warehouse and other external datas: may have external data interface.

Data collection layer mainly utilizes data acquisition platform to gather original business datum from core system, data warehouse and related service system, has realized in real time and two kinds of data acquisition modes of non real-time.

Gather in real time: system's utilization pushes away data and draws two kinds of drainage patterns of data, can carry out (standard) real-time data acquisition by the Tuxedo interface with the data message form from core business system on the one hand; Control on the other hand can link with the workflow interfacing of service set system.

Non real-time is gathered (T+1): utilize the ETL instrument by day whole batch processing carry out the non-real-time data collection.

Data storage layer is mainly used in the storage of Various types of data, comprises gathering two aspects of the derivative data that original business datum and system produced of coming.

Original business datum: mainly comprise business information such as mechanism, client, account, teller, transaction.

System's derivative data: comprise that mainly system produces various information.As: information such as the mechanism that management produces, user, role, authority, daily record, configuration, monitoring; Information such as the risk indicator that risk monitoring and control needs, early warning rule, parameter threshold values; Information such as the Risk-warning information that the risk processing produces, risk investigation information, case management, tracing and monitoring, risk report, work statistic

The risk processing layer, this layer provides all kinds of business logic processing, is mainly realized by three big intelligence engines:

Risk management layer, this layer have been realized a series of risk treatment schemees such as the monitoring, early warning, investigation, tracking, report of accounting event risk, and all business functions of system are provided simultaneously.Mainly be divided into basic management, monitoring and warning two big application function platforms.

Information represents layer, and this layer carries out for all types of user provides unified system information door that function inserts and message reference, has realized that the WEB function represents, BI multidimensional analysis and efficient public security system.The user can be divided into: risk monitor user ', System Operation user, technological development user, the accounting event person in charge, department head, row leader etc.

System by with the data-interface of operation system, can adopt the multiple monitoring mode of interlock control, quasi real time monitoring, monitoring afterwards, periodic analysis and subsequent supervision to carry out the Data Receiving and the risk monitoring of operation system, and the analyzing and processing of carrying out robotization according to built-in risk model and early warning rule, and generation Risk-warning information, thereby help professional supervisor in time to find the risk that exists, and gather measures areput.

Find that system can handle by early warning after the risk, investigation and analysis, case management, follow the tracks of a series of risk treatment schemees such as processings, Reports Administration and function realizes risk investigation, management and report.In the risk processing procedure, system can utilize application interface flexibly, realizes multiple mode early warning information prompting on the one hand, as: mail, note etc.; Can carry out information sharing with mutual with other operation system on the other hand, such as: the verification of calling that the image archives economy carries out voucher, archives can be docked.

More than the present invention is described in detail, used embodiment herein the present invention set forth, more than explanation just is used for help understanding method and system of the present invention; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims

1. the monitoring exceptional service of bank method of a rule-based engine is characterized in that key step comprises:

Determine key risk index (KPI);

Weigh the compliance and the validity of flow process.

2. method according to claim 1 is characterized in that, described method is by the abnormal conditions of object with the related supervision and check funds flow of the relation of behavior, thereby finds various frauds.

3. method according to claim 1 is characterized in that, described method comprises the risk quantification index system of a cover based on KRI (key risk index).

4. method according to claim 3 is characterized in that, described risk quantification index system adopts hierarchical design from bottom to up, is divided into object outline index, basic risk indicator, regular risk indicator, risk measurement index etc. based on the business datum fairground.

5. method according to claim 1 is characterized in that, described method also comprises a kind of method for building up of monitoring model, comprising:

6. method according to claim 5 is characterized in that described method is in setting up the process of monitoring model, and key step also comprises:

7. method according to claim 1 is characterized in that, the scope of business that described method is monitored risk by the early warning rule base is divided into integrated management, individual gold business, corporate business, foreign exchange transaction, giving credit etc.; Every class business is divided according to monitoring technology, can be divided into four types of real-time monitoring, monitoring afterwards, periodic analysis and subsequent supervisions.

8. method according to claim 1 is characterized in that, described method is carried out the risk monitoring and warning to business datum according to the early warning rule that is provided with automatically with every day, and with the early warning information of system according to its significance level, set user class.

9. the monitoring exceptional service of bank system of a rule-based engine is characterized in that, described system presses logical level and divides, and comprising:

Described business datum layer refers to that mainly the original business datum of system is originated.Business datum mainly comes from existing: core business system, service set system, data warehouse and other external datas.

Described data storage layer is mainly used in the storage of Various types of data, comprises gathering the derivative data that original business datum and system produced of coming.

10. system according to claim 9, it is characterized in that described system has functions such as data acquisition, risk monitoring, Risk-warning, case management, investigation and analysis, information inquiry, risk report, work statistic, regulation management, parameter configuration and system management.

11. system according to claim 9, it is characterized in that, described system by with the data-interface of operation system, can adopt the multiple mode of interlock control, quasi real time monitoring, monitoring afterwards, periodic analysis and subsequent supervision to carry out the Data Receiving and the risk monitoring of operation system, and the analyzing and processing of carrying out robotization according to built-in risk model and early warning rule, and generation Risk-warning information, thereby help professional supervisor in time to find the risk that exists, and gather measures areput.

12. system according to claim 9 is characterized in that, described system manages, follows the tracks of a series of risk treatment schemees and function realization risk investigation, management and reports such as processing, Reports Administration by early warning processing, investigation and analysis, case.In the risk processing procedure, system can utilize application interface flexibly, realizes multiple mode early warning information prompting on the one hand, as: mail, note etc.; Can carry out information sharing with mutual with other operation system on the other hand, such as: the verification of calling that the image archives economy carries out voucher, archives can be docked.

13. system according to claim 9 is characterized in that, described system also provides the parameter flexible configuration for each layer index, and can utilize the graphical and parametrization flexible configuration of regulation engine realization for the Risk-warning rule.