Glossary

This glossary provides terms and definitions for the IBM® Counter Fraud Management software and products.

The following cross-references are used in this glossary:

See refers you from a non-preferred term to the preferred term or from an abbreviation to the spelled-out form.
See also refers you to a related or contrasting term.

For other terms and definitions, see the IBM Terminology website (opens in new window).

A

access permission

A privilege that permits the access or use of an object.

account object

The account data model captures summary detail of accounts that are of interest to the IBM Counter Fraud Management solution. The nature of an account varies according to the domain within which the Counter Fraud solution is deployed. Accounts can be insurance policies, bank accounts, financial market or trading accounts, or other types of accounts.

action

Triggers a transition between states. Actions can be reused across contexts.

active report

A report output type that provides a highly interactive and easy-to-use managed report that users can use offline. Active reports are built for business users, allowing them to explore their data and derive more insight.

Administrator role

In the IBM Counter Fraud Management application, the Administrator completes tasks as part of the initial system configuration and provides runtime support and settings for the users of IBM Counter Fraud Management.

aggregation

The act of collapsing multiple raw records from the Counter Fraud data store into a set of aggregated records, from which more computations or rules can be applied.

For example, suppose that you have more than 100 M transaction records in the Counter Fraud database and a nightly batch ingestion adds 2000 more. An aggregation-based analysis flow is triggered when that raw data is imported into the Counter Fraud database. The aggregation-based analysis flow uses prior values that are combined with all newly imported raw records, that is, the new 2000 records, to compute a new aggregated set of data. It is this data that other analysis flows then run rules against.

alert

An alert is part of the investigative process. In ICFM, this term is used synonymously with the term investigation. An alert/investigation is created programmatically when an analysis flow detects possible fraud risk in a transaction or other event. By default, alerts are routed to the triage analyst for inspection and quick determination on whether an Investigator needs to review for further action.

alias

An alternative name that is used instead of a primary name.

Analysis Director (AD)

The IBM Counter Fraud Management subsystem that determines which analysis flow to run.

analysis flow

An analysis flow demonstrates how an investigator can run fraud detection analytics and open investigations for suspicious activity.

analysis request

An analysis request triggers a specific analysis flow to run. After IBM Counter Fraud Management imports data that is to be analyzed and an AnalysisRequest message is sent to the CF.ANALYSIS.REQUEST queue, the analysis flow starts.

Analyst

In the IBM Counter Fraud Management application, the Analyst role responds to requests from Supervisors or Investigators to perform a more thorough or extensive analysis on an entity or object.

Analytics server

In a three-server environment, the Analytics server contains the following components:

IBM Analytic Decision Management
Operational Decision Management Rules Decision Center
Operational Decision Management Rules Execution Server
SPSS Collaboration and Decisions Support Remote Process Server
SPSS Collaboration and Decisions Support Repository Server
SPSS Modeler Premium Server
SPSS Statistics Server

assessment action

Assessment actions determine what actions are programmatically initiated when the threshold for a specific assessment is met. Actions are linked to a specific fraud assessment context. For example, specific actions are taken when an analysis flow detects possible check fraud, and other actions are taken by a different analysis flow that detects possible insurance fraud. For the suspected check fraud, a new investigation is created and details from the analysis are added to the investigation as properties, such as individuals, account number, or check amount. For suspected auto insurance fraud, an investigation is created, and details such as the individual, the vehicle, the estimated loss value, and the policy number are added to the investigation.

authentication (AuthN)

The process of validating the identity of a user or server.

authentication provider

The communication mechanism to an external authentication source. Functionality, such as user authentication, group membership, and namespace searches, is made available through authentication providers.

AuthN

See authentication.

B

business object: Business objects provide a method for renaming and mapping the Counter Fraud database tables to meet the needs of a specific customer. The database tables that Counter Fraud uses are structured in a generic way so that they can be used across multiple industries. However, generic tables and columns might not have names that reflect the industry that Counter Fraud is configured for. Business objects are also called business objects.
business object type: Types of business objects. For example, Accounts, Events, Physical Objects, and Transactions.

C

CA

See certificate authority.

CAUSER

The CAUSER schema defines a federated view of investigation statistics from IBM Case Manager for analysis and reporting purposes for the IBM Counter Fraud Management system.

certificate

In computer security, a digital document that binds a public key to the identity of the certificate owner, thus enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority. See also server certificate, signer certificate, and signer certificate.

Certificate Signing Request (CSR)

An electronic message that an organization sends to a certificate authority (CA) to obtain a certificate. The request includes a public key and is signed with a private key; the CA returns the certificate after signing with its own private key.

certificate authority (CA)

A component that issues certificates to each computer on which components are installed.

CFFACT

The CFFACT schema defines the data model for the fact store of the IBM Counter Fraud Management CDFB database. This fact store is a set of domain-neutral tables that are designed to adequately capture the business data of any domain.

CMS-1500 Medicare Claims Processing Manual

Medicare claims must be submitted on the CMS-1500 form and submitted for processing. For more information on entering data and submitting claims, see the "Medicare Claims Processing Manual, Chapter 26 - Completing and Processing Form CMS-1500 Data Set" PDF at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/downloads/clm104c26.pdf.

CMS-1500 Medicare health insurance claim form

National Uniform Claim Committee (NUCC) approved claim form for Medicare. For a sample form, see the sample insurance claim form PDF at https://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/Downloads/CMS1500.pdf.

code table

Codes tables are used to support translation of a IBM Counter Fraud Management solution into a supported language.

condition

An expression that can be evaluated as true, false, or unknown. It can be expressed in natural language text, in mathematically formal notation, or in a machine-readable language.

content pack

A deployable package for the IBM Counter Fraud Management product platform. Each content pack contains assets and elements for specific industry usecases.

content store

A repository that is used to hold specifications of reports, models, and data sources.

Core server

In a three-server environment, the Core server contains the following components:

IBM HTTP server
WebSphere® Application Server HTTP plug-in
WebSphere Application Server Network Deployment - ICFM application
DB2® client
IBM Message Queue
IBM Integration Bus

CPT (Current Procedural Terminology) code

Providers use this code set to report medical diagnoses and procedures on claims for services.

For more information, see the Medicare "ICD-9-CM, ICD-10-CM, ICD-10-PCS, CPT, and HCPCS Code Sets" PDF at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/ICD9-10CM-ICD10PCS-CPT-HCPCS-Code-Sets-Educational-Tool-ICN900943.pdf.

CSR

See Certificate Signing Request.

credential

A set of information that grants a user or process certain access rights.

D

dashboard: A web page that can contain one or more widgets that graphically represent business data.
data model: The data model defines how the Counter Fraud database captures real world facts and their relationships. The Counter Fraud CFFACT fact store captures most of the tables in the data model.
Data server: In a three-server environment, the Data server contains the DB2 databases for the Counter Fraud solution.
data source: The source of data itself, such as a database or XML file, and the connection information necessary for accessing the data.
data store: The database system where data is stored. See also CFFACT.
DEA (Drug Enforcement Administration) number: All healthcare providers who write prescriptions for controlled substances must apply for an ID. For more information, see the "DEA number" topic at https://en.wikipedia.org/wiki/DEA_number.
deployment: The process of moving an application (such as a report or model) to a different instance. For example, reports are often created in a test environment and then deployed to production. When an application is deployed, it is exported, transferred, and imported.
Diagnosis-Related Group (DRG) and Ambulatory Payment Classification (APC): DRG is a system that classifies hospital cases into groups that have similar hospital resource use. APC is a system that classifies hospital facility outpatient services into groups. Both systems are used by Medicare. For more information, see the "DRGs & APCs (Diagnosis-Related Group & Ambulatory Payment Classification)" topic at https://www.findacode.com/medical-code-sets/drgs-apcs.html.
dimension: A broad grouping of descriptive data about a major aspect of a business, such as products, dates, or locations. Each dimension includes different levels of members in one or more hierarchies and an optional set of calculated members or special categories.

E

encryption: In computer security, the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.
entity: A set of details that are held about a real-world object such as a person, location, or bank account. An entity is a kind of item.
entity type: A descriptor of the characteristics of an entity, including the properties that it can contain and its appearance in visualizations.
ETL: Extract, transform, and load. The process of collecting data from one or more sources, cleansing and transforming it, and then loading it into a database.
Episode-based payment: An episode payment is a single price for all of the services that are needed by a patient for an entire episode of care rather than separate billings for each visit and procedure. For more information, see the "Transitioning to Episode-Based Payment" PDF at http://www.chqpr.org/downloads/transitioningtoepisodes.pdf.
event: A change to a state, such as the completion or failure of an operation, business process, or human task, that can trigger a subsequent action, such as persisting the event data to a data repository or invoking another business process.
event object: The event data model captures details of real world events that occurred, typically because they relate to a business transaction. This portion of the IBM Counter Fraud Management data model captures the detail of the event itself, such as a car accident. The model also captures the relationship between that event and transactions that relate to the event such, as a first notice of loss.
As with transactions, different industries might have different types of events. For instance, an event in banking might be a bankruptcy or theft, while in insurance an event might be an accident, fire, earthquake, or tornado.

F

fact store: The fact store is the part of the Counter Fraud database that captures the core business data for the Counter Fraud solution. The fact store is a set of domain-neutral tables that are designed to adequately capture the business data of any domain. See also CFFACT.
federation: The process of building a heterogeneous set of database management systems into a single interface without moving all your data into one database. You can use DB2 federation to retrieve information from either DB2 data sources or other sources, such as SQL server.
flow: See analysis flow.
folio: The generic object representing an investigation.
fraud assessment: Assessments track a measurement of potential fraud for a specific instance of a business object, such as a specific person, account, or vehicle. For example, an individual might be suspected of check fraud based on the assessment values that are returned from an analysis.
fraud context: A workflow is associated with a context, such as wire or check fraud. Multiple workflows can be created per context. A workflow can exist only in a single context but might be replicated in other contexts.

G

Global Security Toolkit (GSKit): A toolkit for managing digital certificates used in implementing Secure Sockets Layer (SSL) security.
group: A collection of users who can share access authorities for protected resources.
group object: The group area of the IBM Counter Fraud Management fact store captures data that relates to the groups or parties that interact with the organization both internally and externally. These groups or parties can be individuals or other organizations, and they can play a role in transactions, accounts, events, or other business objects. The group or party model provides detailed information about these individuals and organizations and how they interact with the business on an ongoing basis, including relationships between parties, party contact details and addresses, identifications, registrations and personal details.
GSKit: See Global Security Toolkit (GSKit).

H

HCPCS (Healthcare Common Procedure Coding System) code: Providers use this code set to report medical diagnoses and procedures on claims for services.; For more information, see the Medicare "ICD-9-CM, ICD-10-CM, ICD-10-PCS, CPT, and HCPCS Code Sets" PDF at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/ICD9-10CM-ICD10PCS-CPT-HCPCS-Code-Sets-Educational-Tool-ICN900943.pdf.

I

ICD, CPT, HCPCS codes

Providers use these code sets to report medical diagnoses and procedures on claims for services.

IDC: International Classification of Diseases
CPT: Current Procedural Terminology
HCPCS: Healthcare Common Procedure Coding System

Identity Provider (IdP)

Specifies the application that creates the Security Assertion Markup Language (SAML) assertion. This application can challenge the user agent to obtain the user credentials, validate these credentials against a user registry, and if valid, generate a SAML assertion.

in-basket

A container for storing investigations. A team can manage more than one in-basket, but can view only investigations that are within in-baskets that are assigned to that team. The automated assignment of investigations to baskets can be configured by the Administrator. The investigations that are not automatically assigned to an in-basket are added to the "Undefined" in-basket, where they can be assigned manually by an authorized role. For example, in-baskets can be used to separate investigations related to check fraud and wire fraud.

Industry UseCase

A Counter Fraud solution must be hooked up to client data, and the analytic must detect certain types of fraud patterns. The implementation of the ICFM product to achieve those client-specific goals is through a specific set of extension points. The collection of extension points that address a specific business usecase is called an Industry UseCase.

ingestion

The process of moving data into the IBM Counter Fraud Management system. Initial ingestion is often mass ingestion in batches, and data can be continually ingested into the system.

Investigator role

In the IBM Counter Fraud Management application, investigations that are found to be suspicious are routed to the Investigator role. The Investigator initiates and oversees the work to determine the likelihood that fraud occurred, and what subsequent actions to take.

K

key database: In security, a storage object, either a file or a hardware cryptographic card, where identities and private keys are stored for authentication and encryption purposes. Some key databases also contain public keys. See also stash file.
key file: In computer security, a file that contains public keys, private keys, trusted roots, and certificates. See key ring.
key ring: In computer security, a file that contains public keys, private keys, trusted roots, and certificates. See key file.

keystore: In security, a file or a hardware cryptographic card where identities and private keys are stored, for authentication and encryption purposes. Some keystores also contain trusted or public keys. See also truststore.

L

locale: A setting that identifies language or geography and determines formatting conventions such as collation, case conversion, character classification, the language of messages, date and time representation, and numeric representation.
business object: See business object.

M

Major Diagnostic Categories (MDC): The Major Diagnostic Categories are formed by dividing all possible principal diagnoses into 25 mutually exclusive diagnosis areas. DRG codes also are mapped into MDC codes. For more information, see the "LIST OF DIAGNOSIS RELATED GROUPS (DRGS), FY2008" PDF at https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MedicareFeeforSvcPartsAB/downloads/DRGdesc08.pdf.
Medicare Part A versus Part B: Medicare coverage plans determine which services are eligible for payment. For more information, see the "What does Medicare cover (Parts A, B, C, and D)?" topic at https://www.medicareinteractive.org/get-answers/introduction-to-medicare/explaining-medicare/what-does-medicare-cover-parts-a-b-c-and-d.
Medicare Provider/Supplier to Healthcare Provider taxonomy crosswalk: This publication links the types of providers and suppliers who are eligible to apply for enrollment in the Medicare program with the appropriate Healthcare Provider Taxonomy Codes. For more information, see the "MEDICARE PROVIDER/SUPPLIER to HEALTHCARE PROVIDER TAXONOMY" PDF at https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/MedicareProviderSupEnroll/downloads/JSMTDL-08515MedicarProviderTypetoHCPTaxonomy.pdf.

N

National Correct Coding Initiative (NCCI): The CMS developed the National Correct Coding Initiative (NCCI) to promote national correct coding methodologies and to control improper coding that might lead to inappropriate payment in Part B claims. For more information, see the "National Correct Coding Initiative Edits" article at https://www.cms.gov/Medicare/Coding/NationalCorrectCodInitEd/index.html.

O

object: See account object, group object, event object, party object, physical object, primary object or related object.
onboarding: The process of moving customer data into the IBM Counter Fraud Management system. See also ingestion.

P

party object: The party data model provides detailed information about individuals and organizations and how they interact with the business on an ongoing basis, including relationships between parties, party contact details and addresses, identifications, registrations and personal details. Parties can be individuals or organizations, and they can play a role in transactions, accounts, events, or other business objects.
pattern: A pattern provides a set of rules for an analysis flow. For example, the Quick Start Analytic for ODM provides a pattern that is designed to invoke a RuleApp that is deployed in an ODM rule execution server and then responds to IBM Counter Fraud Management all in one analysis flow.
personal certificate: The digital certificate that a client or server gives to other clients or servers as a means of authentication. A personal certificate is usually obtained from a certificate authority.
physical object: The physical object data model captures details of real world objects that are of interest to the IBM Counter Fraud Management solution, such as insured objects or devices that are used to interact with the organization. Details of a physical object can include make, model, and other business properties that are typically dependent on the physical object that is represented. Physical objects might be related to accounts or parties within the organization, such as policies under which the objects are insured, or the parties that own the objects. For example, in an insurance claim, an automobile is a physical object.
Place of Service codes (POS): POS codes are used on medical claims to specify the entity where the service was rendered. For more information, see the "Place of Service Codes for Professional Claims" PDF at https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/PhysicianFeeSched/Downloads/Website-POS-database.pdf.
primary object: A primary object is permanently associated with an investigation from the analytic that is run. You cannot dissociate or remove a primary object similar to a related object.
private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password. See also public key.
product locale: The code or setting that specifies which language, regional settings, or both to use for parts of the product interface, such as menu commands.
Provider Specialty Codes: All physicians, practitioners, and other suppliers who provide services to Medicare beneficiaries must enroll in the Medicare program before claims can be submitted. At the time of enrollment, Medicare assigns a two-digit specialty code that corresponds to the specialty type declared by the applicant on the enrollment form.
public key: An algorithmic pattern used to decrypt messages that were encrypted by the corresponding private key. A public key is also used to encrypt messages that can be decrypted only by the corresponding private key. Users broadcast their public keys to everyone with whom they must exchange encrypted messages. See also private key.

Q

QA Analyst role: After a Suspicious Activity Report (SAR) is approved and finalized, it is sent to the Quality Assurance (QA) Analyst who reviews the SAR for completeness.
Quick Start Analytic (QSA): The Quick Start Analytic is a pattern template that allows for quick, customizable setup of an analysis flow in IBM Integration Bus (IIB) with minimal configuration.

R

related object: Related objects are items that are associated with an investigation. For example, a related object can be a physical device, a transaction, or an event. Related objects are automatically attached to an investigation by the analytics engine, but objects can be added and removed manually by an authorized role. The type of related object that is attached to an investigation differs depending on the context of the fraud that is investigated.
report: A set of data that is deliberately laid out to communicate business information.
report output: The output that is produced as a result of running a report specification against a data set.
report view: A reference to another report that has its own properties, such as prompt values, schedules, and results. Report views can be used to share a report specification instead of making copies of it.
REST: Representational State Transfer. A software architectural style for distributed hypermedia systems like the World Wide Web. The term is also often used to describe any simple interface that uses XML (or YAML, JSON, plain text) over HTTP without an extra messaging layer such as SOAP.
response file: A file that can be customized with the setup and configuration data that automates an installation. During an interactive installation, the setup and configuration data must be entered, but with a response file, the installation can proceed without any intervention.
role: Users can be assigned to one or more roles. Roles are used to determine the view that is provided to the user and the actions that they are authorized to perform. Roles are configured by using LDAP or WebSphere Application Server configuration. For example, a Triage Analyst can view only specified types of investigations and cannot assign investigations to other users.
role authorization: Describes which roles can perform what actions. Role authorizations can be reused across contexts.

S

SAML: Security Assertion Markup Language (SAML) is an XML document that you must write according to the OASIS standard specification, which is also called a SAML token. The SAML token contains information that an application uses to authenticate a user and to perform role-based authorization, according to standard Java Authentication and Authorization Service (JAAS) specifications. By using a SAML token, an application does not have to prompt users to provide their credentials. In an application architecture, the identity provider (IdP) plays the role of generating SAML tokens.; See also Service Provider (SP) and Identity Provider (IdP).
Service Provider (SP): Specifies the receiver of the Security Assertion Markup Language (SAML) assertion. The SP trusts the identity provider because it knows the identity provider metadata. The identity provider metadata is the identity provider public certificate, the identity provider issuer name, and the identity provider URLs. They are usually configured in a file that is called the idp-metadata.xml file. The SP uses this metadata to perform the assertion of the SAML token in order to authenticate the UA, and to check whether it is authorized to access the required resources, such as pages and servlets. See also Identity Provider (IdP). See also SAML and Identity Provider (IdP).
stash file: A file that stores an encrypted version of the key database password. See also key database.

Suspicious Activity Report (SAR)

A Suspicious Activity Report (SAR) is a document that financial institutions file with the Financial Crimes Enforcement Network (FinCEN) after an incident of suspected fraud is detected. The Counter Fraud solution includes a workflow step for creating the report and adding the required information from the investigation data.

score

A number or ranking that expresses applicability in relation to a standard. A fraud assessment can return a score, such as a value from one of the following sets:

Low, Medium, High, Very High
Suspected Fraud, Not fraud
Negative, Neutral, Positive

Secure Sockets Layer (SSL)

A security protocol that provides communication privacy. With SSL, client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.

scenario

A specific sequence of actions that illustrates behaviors. A scenario can be used to illustrate an interaction or the execution of one or more usecase instances.

schema

A complete description of all the entity types, link types, and their associated property types that are available for items within a system.

server certificate

An electronic stamp stored in the server's key ring file that contains a public key, a name, an expiration date, and a digital signature. The server certificate uniquely identifies the server.

session

The time during which an authenticated user is logged on.

signer certificate

The digital certificate that validates the issuer of a certificate. For a CA, the signer certificate is the root CA certificate. For a user who creates a self-signed certificate for testing purposes, the signer certificate is the user's personal certificate. See also truststore.

state

A state in which an investigation can exist. States can be reused across contexts.

SSL

See Secure Sockets Layer.

summary

In reporting and analysis, an aggregate value that is calculated for all the values of a particular level or dimension. Examples of summaries include total, minimum, maximum, average, and count.

Supervisor role

In the IBM Counter Fraud Management application, supervisors have the authority to modify queue filters, change the priority of an investigation, or redirect an investigation to a different triage team.

T

task: An action that is performed by a team member as part of processing an investigation. For example, a task can be conduct a meeting, request an analysis, or ask for a secondary review. Tasks can have a priority and a due date.
team: Users can be assigned to one or more teams. Teams are responsible for managing a defined set of investigations. Teams are configured by using LDAP or WebSphere Application Server configuration and their name must start with CFTeam. For example, the High Value Fraud Team can manage only investigations that specify a high value of currency.
thumbnail: An icon-sized rendering of a larger graphic image that permits a user to preview the image without opening a view or graphical editor.
transaction object: The transaction data model captures the business transactions that are occurring against accounts to monitor activities that might be indicative of fraud or financial crimes. Transaction records such as claims, credits, and debits are captured, including the parties that relate to that transaction, and events that might have a relationship with the transaction.
transition: Describes the movement between one state and another Transitions are tied to a context.
triage team: In the IBM Counter Fraud Management application, triage teams are composed of triage analysts who evaluate incoming investigations and determine a disposition for each investigation. The analyst reviews details, opens work items, and can close or reroute investigations for further investigation.
truststore: In security, a storage object, either a file or a hardware cryptographic card, where public keys are stored in the form of trusted certificates, for authentication purposes in web transactions. In some applications, these trusted certificates are moved into the application keystore to be stored with the private keys. Often stored in PKCS12 format. See also keystore.

U

unmanaged node: A node that is defined in the cell topology that does not have a node agent that manages the process. An unmanaged node is typically used to manage web servers.

Uniform Billing (UB-04) Implementation: Medicare implemented the UB-04 form in March 2007. For more information, see the "CMS Manual System, Pub 100-04 Medicare Claims Processing, Transmittal1104" PDF at https://www.cms.gov/regulations-and-guidance/guidance/transmittals/downloads/r1104cp.pdf.
usecase: A Counter Fraud solution must be hooked up to client data and the analytic must detect certain types of fraud patterns. The implementation of the ICFM product to achieve those client-specific goals is through a specific set of extension points. The collection of extension points that address a specific business usecase is called an Industry UseCase.

W

watchlist: A watchlist refers to a group of parties, whether individuals or companies, that are considered suspicious. The term watchlist usually refers to a list of potential fraudsters or criminals that increase the risk of fraud or other nefarious activities. A watchlist can also be a list of "good guys," or likely false positives, such as the Safe Flyers list.
widget: A portable, reusable application or piece of dynamic content that can be placed into a web page, receive input, and communicate with an application or with another widget.
workflow: A configurable set of states and transitions between states. Transitions are triggered by actions that can be performed by authorized roles.