1. Patent Search
  2. Details

SYSTEMS AND METHODS FOR A USER INTERFACE OVERLAY FOR FRAUD DETECTION

20250225524 ยท 2025-07-10

    Inventors

    Cpc classification

    International classification

    Abstract

    A method comprising using at least one hardware processor to: receiving a new incoming check image associated with an account; extracting from the incoming check its features, wherein the features are associated with a plurality of detectors; comparing the features with corresponding features associated with profile check images stored in a CIR; developing a fraud score based on the comparisons, for each of the plurality of detectors; displaying via a user interface, the new incoming check image with at least one highlighted feature, based on business rules, along with confidence indicators for the at least one highlighted feature that illustrate the risk, based on the associated fraud score, for the at least one highlighted feature; and providing, via the user interface, inputs that allow a reviewer to quickly approve or decline the new incoming check image.

    Claims

    1. A method comprising using at least one hardware processor to: receiving a new incoming check image associated with an account; extracting from the incoming check its features, wherein the features are associated with a plurality of detectors; comparing the features with corresponding features associated with profile check images stored in a CIR; developing a fraud score based on the comparisons, for each of the plurality of detectors; displaying via a user interface, the new incoming check image with at least one highlighted feature, based on business rules, along with confidence indicators for the at least one highlighted feature that illustrate the risk, based on the associated fraud score, for the at least one highlighted feature; and providing, via the user interface, inputs that allow a reviewer to quickly approve or decline the new incoming check image.

    2. The method of claim 1, wherein the inputs further allow the reviewer to escalate the review.

    3. The method of claim 1, wherein the new incoming check image is displayed in the user interface if the result of the comparison is the fraud score that is higher than a threshold.

    4. The method of claim 1, wherein business alerts associated with the account are presented through the user interface along with the new incoming check image.

    5. The method of claim 1, wherein an image of a profile check that can be used to visually contrast and compare with the new incoming check image is present within the user interface along with the new incoming check image.

    6. The method of claim 1, wherein the user interface includes at least some of a notes section, a global score associated with the plurality of detectors associated with the new incoming check image, the channel on which new incoming check image was received, and the number of profile checks in the related CIR.

    7. The method of claim 5, wherein the user interface is configured to allow the reviewer to overlay the new incoming check image on the profile check image.

    8. The method of claim 1, wherein multiple new incoming check images are displayed for review in the user interface at the same time.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0013] The details of the present invention, both as to its structure and operation, may be gleaned in part by study of the accompanying drawings, in which like reference numerals refer to like parts, and in which:

    [0014] FIG. 1 illustrates an example infrastructure, in which one or more of the processes described herein, may be implemented, according to an embodiment;

    [0015] FIG. 2 illustrates an example processing system, by which one or more of the processes described herein, may be executed, according to an embodiment;

    [0016] FIG. 3 illustrates an example process for fraud detection, according to an embodiment;

    [0017] FIG. 4 illustrates an example customer implementation of a fraud detection system, according to an embodiment;

    [0018] FIG. 5 illustrates an example customer implementation of a fraud detection system, according to an embodiment;

    [0019] FIG. 6 illustrates an example fraud detection process, according to an embodiment;

    [0020] FIG. 7 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment;

    [0021] FIG. 8 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment;

    [0022] FIG. 9 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment;

    [0023] FIG. 10 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment;

    [0024] FIG. 11 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment; AND

    [0025] FIG. 12 illustrates an example view of a user interface that can be included in the system of FIG. 4, according to an embodiment.

    DETAILED DESCRIPTION

    [0026] In an embodiment, systems, methods, and non-transitory computer-readable media are disclosed for fraud detection.

    [0027] After reading this description, it will become apparent to one skilled in the art how to implement the invention in various alternative embodiments and alternative applications. However, although various embodiments of the present invention will be described herein, it is understood that these embodiments are presented by way of example and illustration only, and not limitation. As such, this detailed description of various embodiments should not be construed to limit the scope or breadth of the present invention as set forth in the appended claims.

    1. System Overview

    Infrastructure

    [0028] FIG. 1 illustrates an example infrastructure in which one or more of the disclosed processes may be implemented, according to an embodiment. The infrastructure may comprise a platform 110 (e.g., one or more servers) which hosts and/or executes one or more of the various processes, methods, functions, and/or software modules described herein. Platform 110 may comprise dedicated servers, or may instead be implemented in a computing cloud, in which the resources of one or more servers are dynamically and elastically allocated to multiple tenants based on demand. In either case, the servers may be collocated and/or geographically distributed. Platform 110 may also comprise or be communicatively connected to a server application 112 and/or one or more databases 114. In addition, platform 110 may be communicatively connected to one or more user systems 130 via one or more networks 120. Platform 110 may also be communicatively connected to one or more external systems 140 (e.g., other platforms, websites, etc.) via one or more networks 120.

    [0029] Network(s) 120 may comprise the Internet, and platform 110 may communicate with user system(s) 130 through the Internet using standard transmission protocols, such as HyperText Transfer Protocol (HTTP), HTTP Secure (HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Secure Shell FTP (SFTP), and the like, as well as proprietary protocols. While platform 110 is illustrated as being connected to various systems through a single set of network(s) 120, it should be understood that platform 110 may be connected to the various systems via different sets of one or more networks. For example, platform 110 may be connected to a subset of user systems 130 and/or external systems 140 via the Internet, but may be connected to one or more other user systems 130 and/or external systems 140 via an intranet. Furthermore, while only a few user systems 130 and external systems 140, one server application 112, and one set of database(s) 114 are illustrated, it should be understood that the infrastructure may comprise any number of user systems, external systems, server applications, and databases.

    [0030] User system(s) 130 may comprise any type or types of computing devices capable of wired and/or wireless communication, including without limitation, desktop computers, laptop computers, tablet computers, smart phones or other mobile phones, servers, game consoles, televisions, set-top boxes, electronic kiosks, point-of-sale terminals, and/or the like. Each user system 130 may comprise or be communicatively connected to a client application 132 and/or one or more local databases 134.

    [0031] Platform 110 may comprise web servers which host one or more websites and/or web services. In embodiments in which a website is provided, the website may comprise a graphical user interface, including, for example, one or more screens (e.g., webpages) generated in HyperText Markup Language (HTML) or other language. Platform 110 transmits or serves one or more screens of the graphical user interface in response to requests from user system(s) 130. In some embodiments, these screens may be served in the form of a wizard, in which case two or more screens may be served in a sequential manner, and one or more of the sequential screens may depend on an interaction of the user or user system 130 with one or more preceding screens. The requests to platform 110 and the responses from platform 110, including the screens of the graphical user interface, may both be communicated through network(s) 120, which may include the Internet, using standard communication protocols (e.g., HTTP, HTTPS, etc.). These screens (e.g., webpages) may comprise a combination of content and elements, such as text, images, videos, animations, references (e.g., hyperlinks), frames, inputs (e.g., textboxes, text areas, checkboxes, radio buttons, drop-down menus, buttons, forms, etc.), scripts (e.g., JavaScript), and the like, including elements comprising or derived from data stored in one or more databases (e.g., database(s) 114) that are locally and/or remotely accessible to platform 110. It should be understood that platform 110 may also respond to other requests from user system(s) 130.

    [0032] Platform 110 may comprise, be communicatively coupled with, or otherwise have access to one or more database(s) 114. For example, platform 110 may comprise one or more database servers which manage one or more databases 114. Server application 112 executing on platform 110 and/or client application 132 executing on user system 130 may submit data (e.g., user data, form data, etc.) to be stored in database(s) 114, and/or request access to data stored in database(s) 114. Any suitable database may be utilized, including without limitation MySQL, Oracle, IBM, Microsoft SQL, Access, PostgreSQL, MongoDB, and the like, including cloud-based databases and proprietary databases. Data may be sent to platform 110, for instance, using the well-known POST request supported by HTTP, via FTP, and/or the like. This data, as well as other requests, may be handled, for example, by server-side web technology, such as a servlet or other software module (e.g., comprised in server application 112), executed by platform 110.

    [0033] In embodiments in which a web service is provided, platform 110 may receive requests from user system(s) 130 and/or external system(s) 140, and provide responses in extensible Markup Language (XML), JavaScript Object Notation (JSON), and/or any other suitable or desired format. In such embodiments, platform 110 may provide an application programming interface (API) which defines the manner in which user system(s) 130 and/or external system(s) 140 may interact with the web service. Thus, user system(s) 130 and/or external system(s) 140 (which may themselves be servers), can define their own user interfaces, and rely on the web service to implement or otherwise provide the backend processes, methods, functionality, storage, and/or the like, described herein. For example, in such an embodiment, a client application 132, executing on one or more user system(s) 130, may interact with a server application 112 executing on platform 110 to execute one or more or a portion of one or more of the various functions, processes, methods, and/or software modules described herein.

    [0034] Client application 132 may be thin, in which case processing is primarily carried out server-side by server application 112 on platform 110. A basic example of a thin client application 132 is a browser application, which simply requests, receives, and renders webpages at user system(s) 130, while server application 112 on platform 110 is responsible for generating the webpages and managing database functions. Alternatively, the client application may be thick, in which case processing is primarily carried out client-side by user system(s) 130. It should be understood that client application 132 may perform an amount of processing, relative to server application 112 on platform 110, at any point along this spectrum between thin and thick, depending on the design goals of the particular implementation. In any case, the software described herein, which may wholly reside on either platform 110 (e.g., in which case server application 112 performs all processing) or user system(s) 130 (e.g., in which case client application 132 performs all processing) or be distributed between platform 110 and user system(s) 130 (e.g., in which case server application 112 and client application 132 both perform processing), can comprise one or more executable software modules comprising instructions that implement one or more of the processes, methods, or functions described herein.

    Example Processing Device

    [0035] FIG. 2 is a block diagram illustrating an example wired or wireless system 200 that may be used in connection with various embodiments described herein. For example, system 200 may be used as or in conjunction with one or more of the processes, methods, or functions (e.g., to store and/or execute the software) described herein, and may represent components of platform 110, user system(s) 130, external system(s) 140, and/or other processing devices described herein. System 200 can be any processor-enabled device (e.g., server, personal computer, etc.) that is capable of wired or wireless data communication. Other processing systems and/or architectures may also be used, as will be clear to those skilled in the art.

    [0036] System 200 may comprise one or more processors 210. Processor(s) 210 may comprise a central processing unit (CPU). Additional processors may be provided, such as a graphics processing unit (GPU), an auxiliary processor to manage input/output, an auxiliary processor to perform floating-point mathematical operations, a special-purpose microprocessor having an architecture suitable for fast execution of signal-processing algorithms (e.g., digital-signal processor), a subordinate processor (e.g., back-end processor), an additional microprocessor or controller for dual or multiple processor systems, and/or a coprocessor. Such auxiliary processors may be discrete processors or may be integrated with a main processor 210. Examples of processors which may be used with system 200 include, without limitation, any of the processors (e.g., Pentium, Core i7, Core i9, Xeon, etc.) available from Intel Corporation of Santa Clara, California, any of the processors available from Advanced Micro Devices, Incorporated (AMD) of Santa Clara, California, any of the processors (e.g., A series, M series, etc.) available from Apple Inc. of Cupertino, any of the processors (e.g., Exynos) available from Samsung Electronics Co., Ltd., of Seoul, South Korea, any of the processors available from NXP Semiconductors N.V. of Eindhoven, Netherlands, and/or the like.

    [0037] Processor(s) 210 may be connected to a communication bus 205. Communication bus 205 may include a data channel for facilitating information transfer between storage and other peripheral components of system 200. Furthermore, communication bus 205 may provide a set of signals used for communication with processor 210, including a data bus, address bus, and/or control bus (not shown). Communication bus 205 may comprise any standard or non-standard bus architecture such as, for example, bus architectures compliant with industry standard architecture (ISA), extended industry standard architecture (EISA), Micro Channel Architecture (MCA), peripheral component interconnect (PCI) local bus, standards promulgated by the Institute of Electrical and Electronics Engineers (IEEE) including IEEE 488 general-purpose interface bus (GPIB), IEEE 696/S-100, and/or the like.

    [0038] System 200 may comprise main memory 215. Main memory 215 provides storage of instructions and data for programs executing on processor 210, such as any of the software discussed herein. It should be understood that programs stored in the memory and executed by processor 210 may be written and/or compiled according to any suitable language, including without limitation C/C++, Java, JavaScript, Perl, Python, Visual Basic, .NET, and the like. Main memory 215 is typically semiconductor-based memory such as dynamic random access memory (DRAM) and/or static random access memory (SRAM). Other semiconductor-based memory types include, for example, synchronous dynamic random access memory (SDRAM), Rambus dynamic random access memory (RDRAM), ferroelectric random access memory (FRAM), and the like, including read only memory (ROM).

    [0039] System 200 may comprise secondary memory 220. Secondary memory 220 is a non-transitory computer-readable medium having computer-executable code and/or other data (e.g., any of the software disclosed herein) stored thereon. In this description, the term computer-readable medium is used to refer to any non-transitory computer-readable storage media used to provide computer-executable code and/or other data to or within system 200. The computer software stored on secondary memory 220 is read into main memory 215 for execution by processor 210. Secondary memory 220 may include, for example, semiconductor-based memory, such as programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable read-only memory (EEPROM), and flash memory (block-oriented memory similar to EEPROM).

    [0040] Secondary memory 220 may include an internal medium 225 and/or a removable medium 230. Internal medium 225 and removable medium 230 are read from and/or written to in any well-known manner. Internal medium 225 may comprise one or more hard disk drives, solid state drives, and/or the like. Removable storage medium 230 may be, for example, a magnetic tape drive, a compact disc (CD) drive, a digital versatile disc (DVD) drive, other optical drive, a flash memory drive, and/or the like.

    [0041] System 200 may comprise an input/output (I/O) interface 235. I/O interface 235 provides an interface between one or more components of system 200 and one or more input and/or output devices. Example input devices include, without limitation, sensors, keyboards, touch screens or other touch-sensitive devices, cameras, biometric sensing devices, computer mice, trackballs, pen-based pointing devices, and/or the like. Examples of output devices include, without limitation, other processing systems, cathode ray tubes (CRTs), plasma displays, light-emitting diode (LED) displays, liquid crystal displays (LCDs), printers, vacuum fluorescent displays (VFDs), surface-conduction electron-emitter displays (SEDs), field emission displays (FEDs), and/or the like. In some cases, an input and output device may be combined, such as in the case of a touch panel display (e.g., in a smartphone, tablet computer, or other mobile device).

    [0042] System 200 may comprise a communication interface 240. Communication interface 240 allows software to be transferred between system 200 and external devices (e.g. printers), networks, or other information sources. For example, computer-executable code and/or data may be transferred to system 200 from a network server (e.g., platform 110) via communication interface 240. Examples of communication interface 240 include a built-in network adapter, network interface card (NIC), Personal Computer Memory Card International Association (PCMCIA) network card, card bus network adapter, wireless network adapter, Universal Serial Bus (USB) network adapter, modem, a wireless data card, a communications port, an infrared interface, an IEEE 1394 fire-wire, and any other device capable of interfacing system 200 with a network (e.g., network(s) 120) or another computing device. Communication interface 240 preferably implements industry-promulgated protocol standards, such as Ethernet IEEE 802 standards, Fiber Channel, digital subscriber line (DSL), asynchronous digital subscriber line (ADSL), frame relay, asynchronous transfer mode (ATM), integrated digital services network (ISDN), personal communications services (PCS), transmission control protocol/Internet protocol (TCP/IP), serial line Internet protocol/point to point protocol (SLIP/PPP), and so on, but may also implement customized or non-standard interface protocols as well.

    [0043] Software transferred via communication interface 240 is generally in the form of electrical communication signals 255. These signals 255 may be provided to communication interface 240 via a communication channel 250 between communication interface 240 and an external system 245 (e.g., which may correspond to an external system 140, an external computer-readable medium, and/or the like). In an embodiment, communication channel 250 may be a wired or wireless network (e.g., network(s) 120), or any variety of other communication links. Communication channel 250 carries signals 255 and can be implemented using a variety of wired or wireless communication means including wire or cable, fiber optics, conventional phone line, cellular phone link, wireless data communication link, radio frequency (RF) link, or infrared link, just to name a few.

    [0044] Computer-executable code is stored in main memory 215 and/or secondary memory 220. Computer-executable code can also be received from an external system 245 via communication interface 240 and stored in main memory 215 and/or secondary memory 220. Such computer-executable code, when executed, enable system 200 to perform the various functions of the disclosed embodiments as described elsewhere herein.

    [0045] In an embodiment that is implemented using software, the software may be stored on a computer-readable medium and initially loaded into system 200 by way of removable medium 230, I/O interface 235, or communication interface 240. In such an embodiment, the software is loaded into system 200 in the form of electrical communication signals 255. The software, when executed by processor 210, preferably causes processor 210 to perform one or more of the processes and functions described elsewhere herein.

    [0046] System 200 may comprise wireless communication components that facilitate wireless communication over a voice network and/or a data network (e.g., in the case of user system 130). The wireless communication components comprise an antenna system 270, a radio system 265, and a baseband system 260. In system 200, radio frequency (RF) signals are transmitted and received over the air by antenna system 270 under the management of radio system 265.

    [0047] In an embodiment, antenna system 270 may comprise one or more antennae and one or more multiplexors (not shown) that perform a switching function to provide antenna system 270 with transmit and receive signal paths. In the receive path, received RF signals can be coupled from a multiplexor to a low noise amplifier (not shown) that amplifies the received RF signal and sends the amplified signal to radio system 265.

    [0048] In an alternative embodiment, radio system 265 may comprise one or more radios that are configured to communicate over various frequencies. In an embodiment, radio system 265 may combine a demodulator (not shown) and modulator (not shown) in one integrated circuit (IC). The demodulator and modulator can also be separate components. In the incoming path, the demodulator strips away the RF carrier signal leaving a baseband receive audio signal, which is sent from radio system 265 to baseband system 260.

    [0049] If the received signal contains audio information, then baseband system 260 decodes the signal and converts it to an analog signal. Then the signal is amplified and sent to a speaker. Baseband system 260 also receives analog audio signals from a microphone. These analog audio signals are converted to digital signals and encoded by baseband system 260. Baseband system 260 also encodes the digital signals for transmission and generates a baseband transmit audio signal that is routed to the modulator portion of radio system 265. The modulator mixes the baseband transmit audio signal with an RF carrier signal, generating an RF transmit signal that is routed to antenna system 270 and may pass through a power amplifier (not shown). The power amplifier amplifies the RF transmit signal and routes it to antenna system 270, where the signal is switched to the antenna port for transmission.

    [0050] Baseband system 260 is communicatively coupled with processor(s) 210, which have access to memory 215 and 220. Thus, software can be received from baseband processor 260 and stored in main memory 210 or in secondary memory 220, or executed upon receipt. Such software, when executed, can enable system 200 to perform the various functions of the disclosed embodiments.

    2. Process Overview

    [0051] Embodiments of processes for fraud detection will now be described in detail. It should be understood that the described processes may be embodied in one or more software modules that are executed by one or more hardware processors (e.g., processor 210), for example, as a software application (e.g., server application 112, client application 132, and/or a distributed application comprising both server application 112 and client application 132), which may be executed wholly by processor(s) of platform 110, wholly by processor(s) of user system(s) 130, or may be distributed across platform 110 and user system(s) 130, such that some portions or modules of the software application are executed by platform 110 and other portions or modules of the software application are executed by user system(s) 130. The described processes may be implemented as instructions represented in source code, object code, and/or machine code. These instructions may be executed directly by hardware processor(s) 210, or alternatively, may be executed by a virtual machine operating between the object code and hardware processor(s) 210. In addition, the disclosed software may be built upon or interfaced with one or more existing systems.

    [0052] Alternatively, the described processes may be implemented as a hardware component (e.g., general-purpose processor, integrated circuit (IC), application-specific integrated circuit (ASIC), digital signal processor (DSP), field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, etc.), combination of hardware components, or combination of hardware and software components. To clearly illustrate the interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps are described herein generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled persons can implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the invention. In addition, the grouping of functions within a component, block, module, circuit, or step is for ease of description. Specific functions or steps can be moved from one component, block, module, circuit, or step to another without departing from the invention.

    [0053] Furthermore, while the processes, described herein, are illustrated with a certain arrangement and ordering of subprocesses, each process may be implemented with fewer, more, or different subprocesses and a different arrangement and/or ordering of subprocesses. In addition, it should be understood that any subprocess, which does not depend on the completion of another subprocess, may be executed before, after, or in parallel with that other independent subprocess, even if the subprocesses are described or illustrated in a particular order.

    Check Fraud Model

    [0054] Certain embodiments described herein include a model that assesses image differences between, e.g., a deposited check and known checks for a given account. In certain embodiments, the system can provide scores intended to identify differences or the likelihood that a check is fraudulent or counterfeit. The model output can be the risk scoring, e.g., in a range from 0 to 1000 where a higher score indicates that the image being scored has differences from the check profile built from previous images. The model outputs the scores based on comparison of the image being scored with best match (best candidate) check image from the CIR, known as Check profile. The higher the score the more likely that image has differences from previously processed best candidate check images. Along with the image scores, the system can be configured to provide OCR/extraction results for the key deposit items on the check, e.g., account, amount, payor, check date, serial number, etc.

    2.1.1 Overall Framework or Design

    2.1.1. (a) Typical Application Flow

    [0055] While the implementation to leverage the results ultimately lies with each customer, a typical processing flow can look like that depicted in FIG. 3. First as illustrated, the process can start with a check to be imaged in step 302. In step 304, an image of the check is captured or created. In step 306, the check image is run through the model, which then produce results as described, including the probability score in step 308. The results can then be pushed to the customer application in step 310, which can produce business alerts in accordance with the business logic set up by the customer in step 312.

    2.1.1. (b) Fraud Detection Architectural Flow

    [0056] FIG. 4, is a diagram illustrating an example customer implementation of a fraud detection system 400 configured in accordance with the systems and method described herein. As can be seen, system 400 comprises a front end, user application 402 that comprises image recognition configuration 404 that can dictate recognition parameters 410 in a backend 412. Images can then be sent to a back end recognition engine 406 via a portal 408 to be analyzed in accordance with the parameters 410 by extracting information and recognizing that information suing various techniques. In certain embodiments, the character recognizer 406 can comprise four OCR engines (not shown) that recognize segmented character images. Then, OCR results are integrated to obtain final scores of character classes (step 308). All four OCR engines can be neural networks that estimate posterior class probabilities but use different feature sets. A neural network integrator (not shown) can be configured to combine the results of individual OCR engines and produce final class probability estimates. The neural network of the integrator can have the same architecture as the neural networks of OCR engines.

    [0057] In certain embodiments, in addition to four OCR neural network engines, system 400 can be configured to use a recurrent neural network(s) (not shown) for handwritten and printed data as well as convolutional neural network(s) (not shown) for handwritten data analysis.

    [0058] In certain embodiments of system 400, a recognition task is solved by several complementary algorithms, with the results being integrated based on the maximum output information criterion, e.g., both log-linear combination rules and neural networks as integrators.

    [0059] The extraction processing is essentially a probabilistic system, this means that the recognition modules are all soft classifiers. Each module does not produce a single (hard) decision, but a list of possible decisions (candidates) ordered by decreasing confidence scores.

    [0060] FIG. 5 is an example process for amount recognition to illustrate the process. Starting from a binary image of the check, two recognition chains analyze the image in order to recognize the amount in step 502. While the first chain analyzes the courtesy amount in step 504, the second chain deals with the legal amount in step 506, thereby taking advantage of the redundancy between the two amount fields.

    [0061] For both chains, the recognition process is divided into 5 steps: [0062] Extraction of the image parts containing the amount (508, 510); [0063] Preprocessing of the extracted amount images (512, 514); [0064] Segmentation of the courtesy amount and legal amount (516, 518); [0065] Recognition of characters, words and amounts (520, 522); and [0066] Decision (524).

    [0067] For the extraction of data from images, a combination of OCR, ICR (Intelligent Character Recognition) and IWR (Intelligent Word Recognition) technologies can be used. Handwritten words recognized by use of IWR technology while OCR and ICR technologies can be applied for the recognition of the individual characters whether machine printed or handwritten.

    [0068] Intelligent Character Recognition (ICR) technology recognizes isolated characters by distinguishing the individual shapes and sizes within each character classifieridentifying extracted features such as curves, loops and linesand organizing them in a logical and actionable manner.

    [0069] Intelligent Word Recognition (IWR) recognizes data at the word or field level. IWR engine is capable, in fact, of extracting all types of field-based information-either constrained (machine print, hand-printed capitals) or unconstrained (freeform handprint, cursive) from virtually any type of document.

    [0070] The use of OCR, ICR, and IWR technology identifies, e.g., critical payment information quickly, accurately and securely. Handwritten words are classified by using IWR technology, while its OCR and ICR technologies identify key information based on individual characters whether handwritten or machine printed capturing and recognizing the data found on each payment document.

    [0071] To accomplish the level of recognition required for the market, the recognition engine 406 should be trained on hundreds of thousands of character images from, e.g., actual handwritten checks.

    [0072] Again, multiple OCR algorithms, e.g., 2 to 4 algorithms, can be used at the character recognition level. For example, two complementary word recognizers can be used at the word level, and two chains of courtesy and legal amount recognition support the amount recognition level as described above. The results of these complementary recognitions are then integrated by the combination of output candidate lists of the individual recognizers and producing a new single output list. Even the individual integrators can be built on the principle of complementarity, i.e., both the log-liner rule and a neural network can be used.

    Check Fraud Detection

    [0073] Check fraud detection generally consists of two phases: Profile Buildingthis step is when Profiles are created using valid check images provided by the customer and based on routing and account numbers; and Scoringincoming images are verified against the existing Profile for the account associated to the check.

    [0074] In certain embodiments, the check fraud detection functionality does not use any IWR methodology, however the check fraud detection functionality can use complementary OCR engines in fraud detectors that cross validate, e.g., the MICR content with check number (see detector 12 below in Table 1) and Neural Network methodology.

    [0075] FIG. 6 illustrates and example fraud detection process in according with one example embodiment. At the first phase several samples of valid checks (references) 604 are collected for every account 602. They are processed by engine 406 to extract specific check features 606 that are stored in a CIR 608 associated with the account 602.

    [0076] At the second phase, each new incoming check image 610 associated with the account is tested to be a potential fraud. Engine 406 extracts from the incoming check its features (as in step 606) and compares them (612) with features stored in CIR (Check Profile) 608. The result of the comparison is the fraud score 614. If this score is higher than, e.g., a threshold, the check is sent to the potential fraud basket.

    [0077] In certain embodiments, the following features of reference checks listed in Table 1, which are the same features to be extracted from incoming checks to be tested, can be stored in CIR (Check Profile) 608:

    Detectors

    TABLE-US-00002 TABLE 1 Compare Compare Test Name Location Contents Brief Description Courtesy Amount Field x Compares the location of the CAR field to established profile Values Courtesy Sign x Image Compares the location and image of the Comparison Courtesy Amount Sign to established profile Values Legal Amount Field x Compares the location of the LAR field to established profile Values Payee Name Field x Compares the location of the Payee Name field to established profile Values TO THE ORDER OF x Image Compares the location and snippet of keyword Comparison keyword PAY TO THE ORDER OF field to established profile Values Date Field x Compares the location of the Date field to established profile Values Date keyword x Image Compares the location and pre-printed the Comparison keyword Date to established profile Values Payor Address Block x Compares the location of the Payor address block to established profile Values Check Number Field x Compares the location of the Check Number field to established profile Values Reduced Image of Image Reduces the size of the overall check Whole Check Comparison image and compares the overall image to established profile Values Structural Layout x Compares the relative location of pre- printed lines on the checks vs overall established profile Values Comparison of Check Compares the check number in the bottom Numbers code line to the check number on the top right corner of the check LAR Handwriting Style Compares the LAR Handwriting style of Style Comparison the check to established profile Values for certain characters Payor Name Image Compares the snippet of Payor Name to Comparison established profile Values Signature Detection Image Compares the Payor Signature on the Comparison front of the check to established profile Values MICR Line x Compares the location of the MICR line to established profile Values CAR/LAR Difference Compares the CAR value and the LAR value on the check to see if they match Payee Name Style Compares the Payee name handwriting Handwriting Style Comparison style on the check to established profile Values

    [0078] Each set of features can be extracted by its own local fraud detector (not shown) within recognition engine 406, so there can be 18 local detectors in total, where a fraud score 614n (where n from 1-18not shown) can be calculated for each.

    [0079] Feature comparison methods can be based on calculating distances between vectors/sequences/signals. Image Comparison: Image distance is calculated as the Normalized Mean Square Error between two arrays of pixels. Preliminary, both arrays are normalized to have the same sizes. Structural Layout Analysis (Relative Location of Line Objects): is calculated as Edit Distance between sequences of line objects detected in two images. Lines are sorted from top-left to bottom-right, horizontal and vertical lines being considered separately. Handwriting Styles comparison: is calculated as Euclidian distance between vectors of normalized writing characteristics (stroke density, slant, height of ascenders/descenders, size of loops, etc.) Different methods can be used for Handwriting Styles comparison, but a main method can use convolution neural network. Signature comparison: Different methods are used for Signature comparison. Main method uses convolution neural network (CNN).

    [0080] The Model produces a probabilistic score result for each feature and then generates an overall numerical score result 614 ranging from 0 to 1000. Based on the provided results, the model presents a probabilistic result if the check is valid (belongs to the associated account check stockwhich entails a low result score value) or not valid (does not belong to the associated accountwhich entails a high score value). These results are provided to the customer who then uses their internal system 402 to decide regarding any action taken on the incoming check 610.

    [0081] The notion and range of what constitutes a high and low score can be determined by the integrator/developer. The principals for calculating the individual and global score are described below.

    2.1.1. (c) Fraud Score Calculation

    [0082] Fraud score of the incoming check 610 can be calculated by comparing its data with data of reference checks 604 from the CIR 608. For each reference check from the CIR, fraud score is calculated. If G.sub.j is fraud score for j-th reference check from the CIR 608. Global fraud score of incoming check is the minimum among G.sub.j. The G.sub.j is calculated in two steps:

    [0083] STEP 1: Local fraud score S.sub.i i=1-18 is evaluated by each of the, e.g., 18 local detectors. For most local detectors, this local fraud score is the function of the distance between the feature vector F.sub.i of the incoming check and feature vectors R.sub.ij of j-th reference checks in the CIR 608:

    [0084] S.sub.i=(F.sub.iR.sub.ij), ilocal detector number, jreference checks number in the CIR 608.

    [0085] Function is chosen so that the local score S.sub.i of the i-th local detector is in the interval from 0 to 1. For example, (x)=exp(x*a), a being a normalization factor chosen manually. For example, consider the calculation of Score of a single detector. Assume that we consider the Position of Courtesy Amount (feature #1). Each reference check 604 has its own Courtesy Amount position (X/Y coordinate, W/H Width and Height measurement), so it can be represented as a point in a two-dimensional coordinate space with X/Y coordinates and W/H measurement. When the incoming check 610 comes to test, recognition engine 406 can calculate the position of Courtesy Amount and maps its point to the same feature space with its X/Y coordinates and W/H measurement.

    [0086] Then distance d between points of incoming test check and j-th reference check are measured. This distance is the only value that defines the score of the detector:


    S.sub.i=(d)

    [0087] The function is selected so that the value S is in the interval from 0 to 1. It is monotone, so the larger is d, the higher is fraud score, i.e. the more probable the incoming check 610 is a fraudulent. When d=0, S=0 i.e. incoming check 604 is identical with a certain reference check.

    [0088] SECOND STEP: Fraud score G.sub.j for j-th reference check 604 from the CIR 608 is calculated. A Perceptron neural network can be used for G.sub.j calculation. Inputs for this NN are local fraud scores Si of local detectors, i=1-18. Another input for the NN is normalized weighted product of local fraud scores of local detectors. And another input is score of printing of incoming check. Output of the NN is fraud score G.sub.j for j-th reference check from the CIR 608.

    [0089] The lower fraud score G.sub.j, the more j-th reference check from the CIR 608 resembles the incoming check. The global fraud score 614 of incoming check 610 is the minimum among G.sub.j, i.e., the reference check 604 that most closely resembles the incoming check 610 is found. The higher global fraud score, the more probable incoming check is a fraud.

    3.0 Visualization

    [0090] Because the, e.g., 18 detectors above are each evaluated and scored separately, a visualization overlay can be generated and customized according to business rules defined by the customer to allow quick and easy visualization of potential issues with a new check 610. It should be noted that other potential detectors can include font differences, security features, borders and back of the check matching. In fact, Table 2 includes a list of additional potential detectors:

    TABLE-US-00003 TABLE 2 Check Image Fraud Detector Roadmap Opportunities Description Variation in location of signature Determining coordinates of location on the signature located on the signature line Check Border Variation Evaluate Border structures to determine variation in border Font differences in Check printed fields - Determine standard font in customers standard documents/image - create a verification of these printed fonts and determine variances in the printed font Payor block line count differences Determine number of lines in standard behavior of a profile and compare for differences Back of check variation (is this back the right Determine standard back of check matching back of check that matches the front of check) from front of check. Create a profile for front/back matching of check behavior and determine if front/back match/does not match and create a score Security Features Determine location of security features on a given check. Ex position of lock icon. Position of security verbiage position of other security feature icons. Store those locations and security icon analysis and when new check comes in compare to profile and create a score Back of check variation in handwriting/font type behavior signatures or deposit only messages in handwriting style/font styles to Create profile of typical back of check determine if back matches/does not match profile and create a score

    [0091] As mentioned above, user application 402 can comprise a user interface (not shown) that allows customers to verify fraud. The application 402 can then allow the user to define and set bank specific business rules, review suspect checks 610 as determined based on the rules, and then quickly decide whether an item is fraud or not. The system 400 can also generate the output needed for bank posting systems, reports, allow for compromised data searches and data/trends analysis, some of which is described below.

    [0092] Business Rules Descriptions: Business rules allow customers to apply rules to their volume to determine the documents (checks) they want to review for potential fraud or other check verification. Rules that can be applied include ALL elements of a check: Routing Number, Account Number, Dollar Amt. Date, Payee/Payor, etc., as well as all of the other detectors.

    [0093] FIG. 7 illustrates an example view of the user interface 702. As can be seen, user interface 702 can be configured to show the image 704 of the suspect check 610 with areas highlighted, in the case as numbers 1-4, in accordance with the business rules. In this case below, the check image 704 are confidence indicators in area 706 associated with those highlighted areas (1-4), which allows the user to quickly assess the risk associated with these areas or aspects of the check 610. Also, in this case, below the image 610 is a business alerts area 708 that can provide information related to an account associated with the check image 610.

    [0094] Buttons or other sectors/inputs 710 can then be provided to allow the reviewer to quickly approve or decline the check or escalate the review in this example.

    [0095] Other information that can be provided to allow a quick, efficient, and effective review include information on the overall or global score of the image, the channel on which it was received, the number of checks in the related CIR 608, in area 712; an image of a profile check 714 that can be used to visually contrast and compare; and a notes section 716.

    [0096] The User Interface screens allow for quick review and decisioning of fraud suspects. The unique key features include highlight boxes for high score differences areas, e.g., 1-4, which can be based on XY coordinates on the check location based on system ability to detect coordinates and areas on the image/document.

    [0097] Moreover, the application 402 can enable image overlay image 610 over, e.g., a best profile candidate as illustrated in FIG. 8. The user interface can also provide the ability to review single items or multiple items for a particular account at one time based on business rules as illustrated in FIG. 9.

    [0098] Payee keying can also be enabled via application 402 through the user interface. For example, application 402, in conjunction with the backend system can search for a Payee/Payor and lift that information to be used as data. This data can be presented to a bank so that they can confirm or correct the data. As illustrated in FIG. 11 this data can then be submitted for review and validation. One type of validation, if images of the back of the check are obtained is to see validate whether the payee information matches the signature on the back or payee information on the back of the check. The payee data can also, for example, be matched to payee data associated with the deposit account. The user interface can then comprise a screen 1002 as illustrated in FIG. 10 that allows the user to accept or hold the deposit based on this information.

    [0099] The application 402 in combination with the user interface can also allow a compromised data search as illustrated by screen 1202. The compromised database includes documents that are stolen for sale items that may cause fraud or risk to an individual. These documents can include checks, IDs, Account Screens etc., These can be pictures with multiple items/images imbedded in them. The items and images can be split into management data elements/images that can be processed through our Check Intelligence technology to extract data from the imageextractions such as customer name, address, account, numbers, dollars, bank etc. Anything that can be extracted and stored from the image. This data is then consumed and compared to the customer data/customer account data and profiles in the Check Fraud Defender Consortium. If there is a match, we can provide a flag indicator in the check fraud suspect review process, the Identity verification process AND also allow banks the ability to do customer name. Bank and other field searches to determine if a person/and or customer is at risk of compromised or has been compromised.

    [0100] The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles described herein can be applied to other embodiments without departing from the spirit or scope of the invention. Thus, it is to be understood that the description and drawings presented herein represent a presently preferred embodiment of the invention and are therefore representative of the subject matter which is broadly contemplated by the present invention. It is further understood that the scope of the present invention fully encompasses other embodiments that may become obvious to those skilled in the art and that the scope of the present invention is accordingly not limited.

    [0101] As used herein, the terms comprising, comprise, and comprises are open-ended. For instance, A comprises B means that A may include either: (i) only B; or (ii) B in combination with one or a plurality, and potentially any number, of other components. In contrast, the terms consisting of, consist of, and consists of are closed-ended. For instance, A consists of B means that A only includes B with no other component in the same context.

    [0102] Combinations, described herein, such as at least one of A, B, or C, one or more of A, B, or C, at least one of A, B, and C, one or more of A, B, and C, and A, B, C, or any combination thereof include any combination of A, B, and/or C, and may include multiples of A, multiples of B, or multiples of C. Specifically, combinations such as at least one of A, B, or C, one or more of A, B, or C, at least one of A, B, and C, one or more of A, B, and C, and A, B, C, or any combination thereof may be A only, B only, C only, A and B, A and C, B and C, or A and B and C, and any such combination may contain one or more members of its constituents A, B, and/or C. For example, a combination of A and B may comprise one A and multiple B's, multiple A's and one B, or multiple A's and multiple B's.