Glossary

This glossary provides terms and definitions for the IBM® Counter Fraud Management software and products.

The following cross-references are used in this glossary:

See refers you from a non-preferred term to the preferred term or from an abbreviation to the spelled-out form.
See also refers you to a related or contrasting term.

For other terms and definitions, see the IBM Terminology website (opens in new window).

A

access permission

A privilege that permits the access or use of an object.

account object

The account data model captures summary detail of accounts that are of interest to the IBM Counter Fraud Management solution. The nature of an account varies according to the domain within which the Counter Fraud solution is deployed. Accounts can be insurance policies, bank accounts, financial market or trading accounts, and so on.

active report

A report output type that provides a highly interactive and easy-to-use managed report that users can consume offline. Active reports are built for business users, allowing them to explore their data and derive additional insight.

Administrator role

In the IBM Counter Fraud Management application, the Administrator performs tasks as part of the initial system configuration and provides run time support and settings for the users of the Counter Fraud case management component. The Administrator role has access to the Counter Fraud System Management Console.

aggregation

The act of collapsing multiple raw records from the Counter Fraud data store into a set of aggregated records, from which additional computations or rules can be applied.

For example, suppose that you have more than 100M transaction records in the CFDB database and a nightly batch ingestion adds 2000 more. An aggregation based analysis flow is triggered when that raw data has been ingested into the CFDB. The aggregation based analysis flow uses prior values combined with all newly ingested raw records, that is, the new 2000 records, to compute a new aggregated set of data. It is this data that other analysis flows then execute rules against.

alert

An alert is created programmatically when an analysis flow detects possible fraud risk in a transaction or other event. By default, alerts are routed to the triage team for inspection and quick determination on whether further investigation is required.

alias

An alternative name used instead of a primary name.

Analysis Director (AD)

The IBM Counter Fraud Management subsystem that determines which analysis flow to run.

analysis flow

An analysis flow demonstrates how an investigator can run fraud detection analytics and open cases for suspicious activity.

analysis request

An analysis request triggers a specific analysis flow to run. After IBM Counter Fraud Management ingests data that is to be analyzed and an AnalysisRequest message is sent to the CF.ANALYSIS.REQUEST queue, the analysis flow starts.

Analyst

In the IBM Counter Fraud Management application, the Analyst role responds to requests from Supervisors or Investigators to perform a more thorough or extensive analysis on an entity or object.

assessment action

Assessment actions determine what actions are programmatically initiated when the threshold for a specific assessment is met. Actions are linked to a specific fraud assessment context. For example, specific actions are taken when an analysis flow detects possible check fraud, and other actions are taken by a different analysis flow that detects possible insurance fraud. For the suspected check fraud, a new case is created and details from the analysis are added to the case as properties, such as party, account number, check amount, and so on. For suspected auto insurance fraud, a case is created, and details such as the party, the vehicle, the estimated loss value, and the policy number are added to the case.

audit store

The database system where audit data is stored. See also CFAUDIT.

authentication (AuthN)

The process of validating the identity of a user or server.

authentication provider

The communication mechanism to an external authentication source. Functionalities, such as user authentication, group membership, and namespace searches, are made available through authentication providers.

AuthN

See authentication.

C

CA: See certificate authority.
Case and Analysis node: The Case and Analysis node manages and analyzes case data for the Counter Fraud solution.
CAUSER: The CAUSER schema defines a federated view of case statistics from IBM Case Manager for analysis and reporting purposes for the IBM Counter Fraud Management system.
certificate: In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
certificate authority (CA): A component that issues certificates to each computer on which components are installed.
CFAUDIT: The CFAUDIT schema defines the repository of what has executed, what has been imported, and the lifecycle of analysis routines for the IBM Counter Fraud Management system.
CFFACT: The CFFACT schema defines the data model for the fact store of the IBM Counter Fraud Management CDFB database. This fact store is a set of domain-neutral tables that are designed to adequately capture the business data of any domain.
CFCONFIG: The CFCONFIG schema defines the available analytic routines, their status, and deployment metadata. This schema is used to support REST services that provide the ability to look up the appropriate analysis flows to execute based on the nature of ingested data.
code table: Codes tables are used to support translation of a IBM Counter Fraud Management solution into a supported language.
condition: An expression that can be evaluated as true, false, or unknown. It can be expressed in natural language text, in mathematically formal notation, or in a machine-readable language.
Config store: The database system where the registry of available analytic routines, their status, and deployment metadata is stored. See also CFCONFIG.
content pack: A deployable package for the IBM Counter Fraud Management product platform. Each content pack contains assets and elements for specific Industry UseCases.
content store: A repository that is used to hold specifications of reports, models, and data sources.
credential: A set of information that grants a user or process certain access rights.

D

dashboard: A web page that can contain one or more widgets that graphically represent business data.
data model: The data model defines how the Counter Fraud database captures real world facts and their relationships. The Counter Fraud CFFACT fact store captures the majority of the tables in the data model.
Data node: The Data node contains the databases for the Counter Fraud solution.
data source: The source of data itself, such as a database or XML file, and the connection information necessary for accessing the data.
data store: The database system where data is stored. See also CFFACT.
Decision and Scoring node: The Decision and Scoring node analyzes complex data and provides reports for the Counter Fraud solution.
deployment: The process of moving an application (such as a report or model) to a different instance. For example, reports are often created in a test environment and then deployed to production. When an application is deployed, it is exported, transferred, and imported.
dimension: A broad grouping of descriptive data about a major aspect of a business, such as products, dates, or locations. Each dimension includes different levels of members in one or more hierarchies and an optional set of calculated members or special categories.

E

encryption

In computer security, the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.

entity

A set of details that are held about a real-world object such as a person, location, or bank account. An entity is a kind of item.

Entity Resume

The Entity Resume report provides a unified collection of all information in the entity database about a specific entity, including names, addresses, identifiers, roles, related entities, role alert history, event alert history, and disclosures.

entity type

A descriptor of the characteristics of an entity, including the properties it can contain and its appearance in visualizations.

ETL

Extract, transform, and load. The process of collecting data from one or more sources, cleansing and transforming it, and then loading it into a database.

event

A change to a state, such as the completion or failure of an operation, business process, or human task, that can trigger a subsequent action, such as persisting the event data to a data repository or invoking another business process.

event object

The event data model captures details of real world events that have occurred, typically because they relate to a business transaction. This portion of the IBM Counter Fraud Management data model captures the detail of the event itself, such as a car accident. The model also captures the relationship between that event and transactions that relate to the event such, as a first notice of loss.

As with transactions, different industries may have different types of events. For instance, an event in banking might be a bankruptcy or theft, while in insurance an event might be an accident, fire, earthquake, or tornado.

F

fact store: The fact store is the part of the Counter Fraud Database (CFDB) that captures the core business data for the Counter Fraud Solution. The fact store is a set of domain-neutral tables that are designed to adequately capture the business data of any domain. See also CFFACT.
federation: The process of building a heterogeneous set of database management systems into a single interface without moving all your data into one database. You can use DB2® federation to retrieve information from either DB2 data sources or non-DB2 sources, such as SQL server.
flow: See analysis flow.
fraud assessment: Assessments track a measurement of potential fraud for a given instance of a business object, such as a specific person, account, or vehicle. For example, a party might be suspected of check fraud based upon the assessment values that are returned from an analysis.

G

group: A collection of users who can share access authorities for protected resources.
group object: The group area of the IBM Counter Fraud Management fact store captures data relating to the groups or parties that interact with the organization both internally and externally. These groups or parties can be individuals or other organizations, and they can play a role in transactions, accounts, events or other business objects. The group or party model provides detailed information about these individuals and organizations and how they interact with the business on an ongoing basis, including relationships between parties, party contact details and addresses, identifications, registrations and personal details.

I

ingestion: The process of moving data into the IBM Counter Fraud Management system. Initial ingestion is often mass ingestion in batches, and data can be continually ingested into the system.
Investigator role: In the IBM Counter Fraud Management application, alerts or cases that are found to be suspicious are routed to the Investigator role. The Investigator initiates and oversees the work to determine the likelihood that fraud has occurred, and what subsequent actions to take.

L

locale: A setting that identifies language or geography and determines formatting conventions such as collation, case conversion, character classification, the language of messages, date and time representation, and numeric representation.

M

Messaging node: The Messaging node coordinates messages and alerts among the Counter Fraud components.

O

object: See group object, group object, event object, party object, physical object, primary objec or related object.
onboarding: The process of moving customer data into the IBM Counter Fraud Management system. See also ingestion.

P

party object: The party data model provides detailed information about individuals and organizations and how they interact with the business on an ongoing basis, including relationships between parties, party contact details and addresses, identifications, registrations and personal details. Parties can be individuals or organizations, and they can play a role in transactions, accounts, events, or other business objects.
pattern: A pattern provides a set of rules for an analysis flow. For example, the Tools Content Pack includes the Quick Start Analytic for ODM, which provides a pattern that is designed to invoke a rule app that is deployed in an ODM rule execution server and then responds to IBM Counter Fraud Management all in one analysis flow.
physical object: The physical object data model captures details of real world objects that are of interest to the IBM Counter Fraud Management solution, such as insured objects or devices used to interact with the organization. Details of a physical object can include make and model, as well as business properties that are typically dependent on the physical object being represented. Physical objects might be related to accounts or parties within the organization, such as policies under which the objects are insured, or the parties that own the objects respectively. For example, in an insurance claim, an automobile is a physical object.
primary object: A primary object is permanently associated with a case or alert from the analytic that is run. You cannot dissociate or remove a primary object similar to a related object.
product locale: The code or setting that specifies which language, regional settings, or both to use for parts of the product interface, such as menu commands.

Q

QA Analyst role: After a Suspicious Activity Report (SAR) is approved and finalized, it is sent to the Quality Assurance (QA) Analyst who reviews the SAR for completeness.
Quick Start Analytic (QSA): The Quick Start Analytic is a pattern template that allows for quick, customizable setup of an analysis flow in IBM Integration Bus (IIB) with minimal configuration.

R

related object: Related objects are items associated with a case or alert. For example, a related object can be a physical device, a transaction, or an event.
report: A set of data deliberately laid out to communicate business information. See also report specification.
report output: The output produced as a result of executing a report specification against a data set.
report specification: An executable definition of a report, including query and layout rules, which can be combined with data to produce a report output. See also report.
report view: A reference to another report that has its own properties, such as prompt values, schedules, and results. Report views can be used to share a report specification instead of making copies of it.
Reporting node: The Reporting node provides reports, analysis, dashboards, and scoreboards for your Counter Fraud solution.
Reporting Manager role: In the IBM Counter Fraud Management application, the Reporting Manager role runs assessment reports, analyzes metrics, and reports data to management.
REST: Representational State Transfer. A software architectural style for distributed hypermedia systems like the World Wide Web. The term is also often used to describe any simple interface that uses XML (or YAML, JSON, plain text) over HTTP without an additional messaging layer such as SOAP.
response file: A file that can be customized with the setup and configuration data that automates an installation. During an interactive installation, the setup and configuration data must be entered, but with a response file, the installation can proceed without any intervention.

S

Suspicious Activity Report (SAR)

A Suspicious Activity Report (SAR) is a document that financial institutions file with the Financial Crimes Enforcement Network (FinCEN) after an incident of suspected fraud is detected. The Counter Fraud solution includes a workflow step for creating the report and adding the required information from the alert or case data.

score

A number or ranking that expresses applicability in relation to a standard. A fraud assessment can return a score, such as a value from one of teh following sets:

Low, Medium, High, Very High
Suspected Fraud, Not fraud
Negative, Neutral, Positive

Secure Sockets Layer (SSL)

A security protocol that provides communication privacy. With SSL, client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.

scenario

A specific sequence of actions that illustrates behaviors. A scenario may be used to illustrate an interaction or the execution of one or more use-case instances.

schema

A complete description of all the entity types, link types, and their associated property types that are available for items within a system.

Scoring node

See Decision and Scoring node.

session

The time during which an authenticated user is logged on.

SSL

See Secure Sockets Layer.

summary

In reporting and analysis, an aggregate value that is calculated for all the values of a particular level or dimension. Examples of summaries include total, minimum, maximum, average, and count.

Supervisor role

In the IBM Counter Fraud Management application, supervisors have the authority to modify queue filters, change the priority of an alert, or redirect an alert to a different triage team.

T

task: An action performed by an agent if the event status meets the task execution rules. For example, an agent can send an email, publish a news item, or run a report.
thumbnail: An icon-sized rendering of a larger graphic image that permits a user to preview the image without opening a view or graphical editor.
transaction object: The transaction data model captures the business transactions that are occurring against accounts in order to monitor activities that may be indicative of fraud or financial crimes. Transaction records such as claims, credits, and debits are captured, including the parties that relate to that transaction, and events that may have a relationship with the transaction.
Triage team: In the IBM Counter Fraud Management application, triage teams are comprised of triage analysts who evaluate incoming alerts and determine a disposition for each alert. The analyst reviews details, opens work items, and can close or re-route alerts for further investigation.

W

watchlist: A watchlist refers to a group of parties, whether individuals or companies, that are considered suspicious. The term watchlist usually refers to a list of potential fraudsters or criminals that increase the risk of fraud or other nefarious activities. A watchlist can also be a list of "good guys," or likely false positives, such as the Safe Flyers list.
widget: A portable, reusable application or piece of dynamic content that can be placed into a web page, receive input, and communicate with an application or with another widget.