RiskRadar

Icon
Logo
Portal

Inspiration

Compliance teams are financial detectives. They catch fraud through a structured stack — automated transaction monitoring, behavioral analytics, mandatory directives, and human investigation — all built around a Risk-Based Approach that separates normal noise from real threats.

But every layer of that stack has the same blind spot: it only acts when a rule fires. Threshold alerts wait for a transaction over a limit. Velocity checks wait for a burst. KYC anomaly detection waits for a deviation from "normal." The link-and-network analysis that actually unravels an organized ring is gated behind an alert that has to fire first.

So we asked: what about a ring engineered to never fire one?

That's exactly what we found at Crestline Community Bank. A ring moved $161,751 over 90 days and the monitoring system caught none of it — no transfer crossed a threshold (the largest was $899), nothing tripped a velocity rule, and the accounts were too new to have a baseline to violate. The fraud existed only in the pattern — small transfers, between coordinated accounts, in a deliberate flow. No single rule can see a pattern.

And the person responsible for catching it? A compliance officer who isn't a data scientist, can't write a query, and has minutes per case. Today they're handed either nothing (no alert fired) or a wall of raw transactions they can't parse.

We built RiskRadar for them.

What it does

RiskRadar reads raw bank transactions, finds the coordinated ring the rules missed, and produces one screen a compliance officer can act on in three minutes — without ever touching a database.

The officer sees a finished investigation, not a raw alert:

A verdict — risk level, accounts involved, total exposure. A plain-English "why" — the coordination signals, in language a regulator accepts. Expandable evidence — every claim drills down to the source transactions. Every figure traces to its origin. One action — escalate for SAR review or dismiss, with the reason automatically logged.

It runs the link-and-network analysis that the bank's monitoring never triggered — proactively, on data no alert flagged — and turns it into a signed, audit-ready case file.

On Crestline's data, it caught: a coordinated ring spanning 11 sequential accounts (AC-0001 to AC-0011), of which 9 actively moved $161,750.90 across 250 sub-threshold transfers, with two dormant shell accounts consistent with the ring's setup. Four coordination signals, none of which trips a rule:

All money moves account-to-account, hidden inside 4,750 normal merchant transactions. Every ring account opened within an 8-day window, then immediately began moving money — structuring with no KYC baseline to violate.

Every transfer sits between $402 and $899 — deliberately spread below any reporting threshold (textbook smurfing).

The money travels in a coordinated fan-and-relay pattern — the structure is the fraud, not any single payment.

The bank's rules fired zero alerts. RiskRadar caught all of it.

How we built it

RiskRadar is a four-agent pipeline with Cognee as the memory layer threading every stage, so the evidence chain stays intact from raw data to signed report — each agent recalls the previous agent's work through Cognee:

Find it — reads the 5,000-transaction dataset, isolates the account-to-account flows hiding inside normal merchant activity, and surfaces the ring as a structured Finding. This is the link analysis the monitoring system never triggered.

Rank it — risk-scores findings worst-first, recording a reason for every ranking decision.

Act on it — escalates, flags, or dismisses; every action carries a logged reason — never "the model said so" — which is exactly the audit trail a SAR requires.

Explain it — writes the plain-language, signable, downloadable audit summary (owned by our Domain Expert via Geodo).

The detection itself is derived, not hardcoded: build the transaction graph, separate account-to-account flows from merchant noise, then surface the coordinated component and its signals. On top sits a compliance-officer interface designed for someone who has never opened a database — plain language first, evidence on demand, the transaction graph tucked behind a "show the money path" button.

How the stack powers each part Every tool maps to a specific job — not bolted on, but load-bearing:

Cognee — the memory between agents. The spine. Each agent writes its work to Cognee and the next reads it back, so the evidence chain survives every hand-off: Findings → rankings → logged actions → summary. Without it, four disconnected scripts; with it, one investigation that remembers how it reached its conclusion — which is what makes the case file auditable.

Geodo — the Domain Expert. Researches the real entities behind the data (community-bank accounts, ACH/structuring patterns) and owns Agent 4 (Explain it) — turning findings into the plain-language, regulator-credible narrative a non-technical officer can sign.

Python pipeline — Agent 1's engine. Builds the transaction graph, separates account-to-account flows from merchant noise, derives the ring. Transparent and re-runnable, so the finding is earned — every run reproduces $161,750.90.

Kaggle Track 02 — the proof. Verified against the official benchmark; hitting the figure to the cent is what makes the tool correct, not just plausible.

Trupeer — the demo. Recorded as the compliance officer using the product, not engineers explaining code.

Eleven Labs — AI voice agent

PyMC (stretch) — probabilistic scoring. Models the suspiciously uniform transfer totals as a fingerprint too regular to be organic.

Challenges we ran into

Finding the right ring, not a plausible one. With the benchmark verified against a hidden answer key, a confident-but-wrong cluster fails instantly. We anchored on the dollar figure — and isolating the account-to-account flows produced a total of $161,750.90, matching the hint to the cent. That was our confirmation we'd found the ring.

Reconciling "~12 accounts" with the data. The hint said approximately 12; the active flow involved 9. Investigating the ID block revealed two dormant shell accounts (AC-0004, AC-0008) registered in the ring's sequence but never activated — resolving the count to an 11-account block, 9 active. The dormant shells became a finding, not a discrepancy.

Killing a false signal. We initially assumed shared devices were part of the coordination — but the data showed each sender on a unique device. We cut the claim rather than ship a signal the evidence didn't support. In compliance work, an unsupported claim is worse than no claim.

Designing for a non-technical user. The hardest UI decision was removing things — no graph-first view, no tuning controls, no jargon. The graph is evidence behind a button, not the product.

Accomplishments that we're proud of

We caught a ring the rules scored zero on — and our finding matches the answer key exactly ($161,750.90).

Every figure is traceable. No black-box score. The officer can drill from the verdict down to individual transactions — the difference between a tool and a defensible report.

Every action is logged with a reason, satisfying both the judging gate and the real-world SAR audit standard.

A genuinely usable interface for a non-technical compliance officer — a finished investigation, readable and actionable in three minutes.

What we learned

Fraud detection is a relationship problem, not a transaction problem. No individual transaction in this ring was suspicious. The fraud lived entirely in the structure between accounts — which is precisely what threshold rules can't see and what a memory graph can.

The existing compliance stack is reactive by design. Its most powerful tool — link-and-network analysis — only runs after an alert. The opportunity is to run that analysis proactively, on the data no alert flagged.

For a non-technical user, explainability is the product. Provenance and plain language aren't features on top of fraud detection — for a compliance officer, they are the deliverable.

Discipline beats cleverness on a verified benchmark. Anchoring on the one exact number (the dollar total) and cutting an unsupported signal mattered more than any sophisticated model.

What's next for RiskRadar

Generalize the detectors so they surface rings on any transaction set without prior knowledge of the answer — circular-flow, structuring, coordinated-onboarding, and shell-account detection as reusable agent skills.

Case memory across investigations — store every confirmed ring in Cognee so future cases can ask "have we seen this pattern before?" and match against history. Fraud detection becomes organizational memory, not one-off search.

Probabilistic scoring (PyMC) — the suspiciously regular per-pair transfer totals are a statistical fingerprint; a Bayesian model could flag amount distributions that are too uniform to be organic.

Live monitoring mode — run the link analysis continuously as transactions clear, surfacing rings before the money leaves the network rather than 90 days later.

One-click SAR generation — extend Agent 4 to produce the full regulatory filing, not just the internal case file.