Material improvement in high-risk behaviour detection
Triage time reduced from hours to minutes per case
Significant false positive reduction through behavioural scoring
Regulatory defensibility strengthened with explainable, auditable alert logic
Designed and built an autonomous trader surveillance system for an international investment bank, replacing keyword-based searches with graph-driven behavioural analytics. The system unifies communications across Bloomberg, email, and IM into a knowledge graph, models individual behavioural baselines, and produces explainable, investigation-ready alerts that materially improved detection quality while reducing false positives.
The Problem
Trade surveillance in most banks still relies on keyword searches across communications, static rules that fire on pre-defined patterns, and investigators manually piecing together timelines from siloed data sources. Bloomberg chat sits in one system, email in another, instant messaging in a third. When something suspicious surfaces, it is usually late, incomplete, or buried in noise.
The Solution
We designed and built an autonomous surveillance system grounded in a knowledge graph that unifies communications, trading activity, and relationship data into a single, queryable structure. Rather than searching for known bad phrases, the system models normal behaviour for each individual and flags deviations: changes in communication patterns, new or unusual relationships, shifts in sentiment or topic, and clusters of activity that deviate from an established baseline.
The system first resolves identities across platforms (linking "John Smith" in email, "jsmith" on Bloomberg, and "JS_Trading" in IM to one canonical entity), then loads all communications, trades, and relationships into the knowledge graph. Every message passes through an NLP pipeline that classifies topics, tracks sentiment, and uses embedding-based similarity to detect semantically related conversations even when they share no common keywords. This catches paraphrasing and coded language that keyword search misses entirely.
Behavioural profiles are built for each trader using self-organising models that cluster individuals by behavioural similarity without requiring pre-defined categories. The system learns what normal looks like for each person and peer group, then surfaces deviations across multiple dimensions simultaneously: unusual communication volume, channel switching, new counterparties, behavioural drift, and temporal correlation between unusual communications and unusual trading activity. The critical design principle was explainability: every alert includes a structured narrative describing who is involved, what changed, why the system considers it anomalous, and what evidence supports that assessment. Investigators receive a story they can evaluate and defend to a regulator, not a black-box score.
Results and Impact
| Outcome | Detail |
|---|---|
| Detection quality | Material improvement in identifying genuinely high-risk behaviour, with fewer low-value alerts reaching investigators |
| False positive reduction | Significant decrease in noise through behavioural scoring and multi-signal convergence |
| Time to triage | Reduced from hours of manual review per case to minutes, driven by investigation-ready narratives |
| Investigator trust | Increased adoption and confidence through transparent, explainable alert logic |
| Regulatory posture | Strengthened defensibility of surveillance programme through documented, auditable reasoning |
| Adaptability | System detects novel misconduct patterns without requiring manual rule creation |
Key Takeaways
-
Surveillance succeeds when investigators trust it. Explainability mattered as much as model performance. A system that produces perfect scores but cannot explain why will be ignored, or worse, will create liability when an unexplainable alert is dismissed.
-
Identity resolution is the hidden hard problem. Most of the engineering difficulty was not in the ML or the graph analytics. It was in reliably linking disparate identities across messy, inconsistent data sources to the same human being.
-
Graphs reveal what rules miss. Graph views show relationships, clusters, and patterns of intent that investigators would never have discovered through linear search. Cross-channel visibility is non-negotiable because misconduct does not stay on one platform.