Overview of Bottomline's Fraud and Financial Crime Management Solution

Bottomline Technologies’ Fraud and Financial Crime Management suite of solutions is an innovative end-to-end enterprise fraud management solution which provides a unique combination of comprehensive data capture combined with cross channel analytics and real-time alerting. This allows organisations to reduce risk, prevent fraud and meet regulatory compliance requirements through a highly extensible and flexible platform that delivers unparalleled fraud protection.

The fraud platform is designed in a modular way that enables frictionless deployment of new functionality in order to meet varying use cases.

Fraud and Financial Crime Management Suite Overview Diagram 2
BT security fraud & risk 171

Secure Payments

Bottomline’s Secure Payments solution protects payments across a variety of applications, channels, and payment types. Whether it is one business-critical application, channel and payment type, or a variety, our highly flexible and extensible platform delivers proven protection against payment fraud through advanced analytics of user behavior and transaction flows layered with intelligent machine learning, reducing risk for some of the largest corporations and financial institutions in the world.

BT security fraud & risk 169

Enterprise Case Manager

Bottomline’s Enterprise Case Manager solution is designed to simplify and streamline the risk management and fraud detection process, along with the various regulatory processes that accompany these efforts. The solution integrates across multiple systems and enables users to track all alerts and cases regardless of their source application. When violations are found, the system helps to automate the filing of Suspicious Activity Reports (SARs) to government agencies.

BT documentation & messaging 50


Bottomline’s Compliance solution provides corporations and financial institutions with a powerful end-to-end offering to accelerate the speed to achieve regulatory compliance requirements while decreasing complexity. Whether the need is around modernising an anti-money laundering program, achieving more reliable sanctions screening, improving payments monitoring, highlighting settlement exposure, or automating suspicious activity reporting to meet regulatory requirements, Bottomline’s Compliance solution offers a modular approach to reducing the cost of compliance and increasing productivity

BT personnel 141

Insider and Employee Fraud

Bottomline’s Insider and Employee Fraud solution quickly identifies and stops anomalous user activity through intelligent machine learning, rules-based detection, and years of experience protecting some of the largest corporations and financial institutions in the world. The solution captures all user behavior in real-time across all vital systems and provides protection for both external threats in which user credentials have been compromised and internal threats from authorised users.

Introduction to Insider and Employee Fraud

The Insider and Employee Fraud product is a pre-packaged solution suite designed for financial institutions. It is specifically designed to identify and track suspicious employee activity by monitoring each action a user makes and analyzing those actions for unusual behavior and key risk indicators.

When an employee action or pattern of actions are deemed by the analytics as potentially fraudulent, an alert is created for compliance officers to review and investigate. These analytics take a variety of different factors and data points into account and because the system monitors real-time actions, as well as historical data, it can capture a variety of different fraud schemes while reducing false positives.

Evaluating user behaviour for indicators of fraud and risk 

As the system monitors employee behavior, it builds an understanding of what is normal for each specific employee and how their behavior compares to that of their peers. This helps to surface suspicious activity without introducing unnecessary false positives. For example, if one employee is designated to only work with VIP accounts you would not want alerts going off every time that employee accessed a VIP account. Instead the system would learn that this is a false positive and add that to its understanding of what is normal for that user. Similarly, this process can be used to identify suspicious behavior. For instance, if a user normally looks at a few records a day but then begins viewing a significantly higher volume of records this could be flagged as suspicious activity for a compliance officer to investigate.

The solution’s analytics have been refined over years of experience working to prevent insider and employee fraud across multiple instances. As a result, the solution is able to identify over 100 different scenarios that have been proven to indicate insider fraud activities. Bottomline is able to work with customers to tune the analytics to help focus on the scenarios that are deemed most important with each implementation.

All alerts generated by the system are displayed in the Investigation Center where they can be tracked and managed by compliance officers. Alerts contain critical data such as the details of the scenario that triggered the alert. The alert also provides additional information such as previously related alerts and other historical data that could be useful for the investigator. This combination of information provides all the relevant information required to begin the investigation process and quickly come to a resolution.

Why Bottomline?

Bottomline's solution is able to identify over 100 different scenarios that have been proven to indicate insider fraud activities.

Investigation workflow

The solution can capture user data through a variety of methods including APIs, MQ, network sniffing, and log capture. As data is gathered from the monitored application, it is passed to the analytics engine for evaluation. This evaluation can be performed in real-time or through an overnight batch process depending on the scenario and solution deployment. If the solution deems any user activity to be a policy violation or generally suspicious, then an alert is generated and an email is sent to the assigned investigators for further evaluation.

Investigators can use a wide range of tools to understand why the alert was generated.

These tools include:

Screen-by-screen replay*:

Investigators can replay the exact screens the user saw and the actions they took including view-only actions which are not captured in many audit logs. This provides powerful forensic evidence for understanding why an action was taken and if it was legitimate.

*Dependent on method of data capture
Record and Replay Insider Fraud Solution Preview

Cross-Platform Search:

The cross-platform search allows investigators the ability to search any term across any monitored application. For example, to find all users who accessed a specific customer account within a specific timeframe. This search can be easily performed on recorded data from a specific platform or on data recorded from several platforms.


The solution is able to report on myriad data including user actions, generated alerts and any other data related to defined entities in the system. A number of pre-configured reports are available to go along with a robust custom reporting engine.


At this point, the investigator can choose how to best resolve the alert by marking it as:

  • False Positive
  • Justified (meaning the alert is legitimate, but not valid in this case)
  • Fraud

If further investigation is required in order to determine the cause of the fraudulent or suspicious event, the users can take advantage of the Case Management functionality within the Investigation Center. Further information about Enterprise Case Management is available.

Insider and Employee Fraud Analytics

The analytics engine provides a data model which supports advanced calculations and correlations in real-time. The data model can maintain static and dynamic information on various types of entities including employees, accounts, customers and others. The data captured by the system from various sources is sent to the analytics engine in a normalised way, so the data can be captured in a way that is transparent to the analytics engine.

Our analytics engine uses a layered approach that looks at past data trends while continuously identifying new anomalies within the data and incorporating investigator feedback into its evaluation criteria. This approach enables customers to get immediate time to value by detecting known bad behaviors while also continuously adapting to emerging threats and refining risk scoring to reduce false positives.

BT process & representation 123

How the analytics work

During initial implementation and onboarding, pre-configured analytics are deployed based on the use cases under consideration by the customer. These analytics are based on the library of scenarios available within the Insider and Employee Fraud solution or can be configured on a custom, case-by-case basis as needed. For some use cases, this enables the solution to immediately begin identifying high-risk behavior. This is typically able to occur with more binary use cases, such as policy violations.

In parallel, as the system begins to monitor user behavior it also begins to understand what is normal for employees. As these baselines are established, the solution will begin to raise incidents on a wider range of scenarios. This could include a user performing action more often than they typically do within a work day or a user performing an activity that is not typically performed by someone with their same role.

BT process & representation 122

Machine learning

In addition to identifying known scenarios and anomalous behaviors, Bottomline’s Fraud and Financial Crime Management solutions incorporate machine learning to further refine their analytical capabilities and increase fraud detection capabilities. The solutions utilise supervised and unsupervised learning techniques in order to maximise the analytic capabilities of the solution. Machine learning enables the analytics engine to discover previously unknown anomalies, reduce false positives and continuously refine the analytics based on user interaction with the generated alerts.

These machine learning capabilities are particularly effective as they leverage the depth of fraud detection expertise that the solution provides. All machine learning algorithms are built to leverage expert-defined features within the data while also building in insights from the high-risk behavior and policy violations identified by the standard analytics engine. By leveraging these data points, Fraud and Financial Crime Management is able to provide more insightful and meaningful results for compliance officers.

Insider and Employee Fraud Solution Use Cases

The Insider and Employee Fraud solution can be deployed across different channels and applications. Customers can elect to deploy a single use case or multiple and all user activity is aggregated into the same Investigation Center for a consistent user experience and streamlined investigations. The following use cases represent a sample of the types of scenarios that the Insider and Employee Fraud solution is capable of identifying for customers. All use cases are refined through the incorporation of machine learning as supervised models improve risk scoring models in the analytics and combine with new outliers found through unsupervised learning.

Leakage of sensitive information/data theft

  • Performing account/customer inquiries, above the average expected number
  • Performing an excessive number of account/ customer prints
  • Performing an excessive number of common name searches
  • Performing an excessive number of detailed inquiries without subsequent monetary transaction
  • Behaving inappropriately for a given role (e.g., off-hours inquiries, examining other departments’ accounts, inquiring on accounts from other states/ regions/countries)
  • Performing a customer inquiry on a customer who belongs to a VIP active list
  • Downloading large amounts of information

Policy violations

  • Accessing accounts of coworkers
  • Opening a multiple number of low or no balance accounts
  • Performing a customer inquiry on a customer who belongs to a VIP active list
  • Performing excessive number of refund transactions over the last 7 days
  • Performing a money transfer(s) on their own account
  • Performing fee reversal(s) on their own account
  • Performing account/customer inquiries, above the average expected number
  • Performing a service transaction on their own account


Account has monetary transaction(s) of a certain category with a large total amount

  • Account with excessive transactions of a certain category
  • Branch has excessive number of transactions of a certain category on accounts of a certain type
  • Employee own account has an excessive number of transactions of a certain category
  • Employee performs a monetary transaction on an account which doesn’t have any recent activities
  • Employee performs withdrawals from escheatable accounts

Internal account takeover

Account has monetary transaction(s) of a certain category with a large total amount

Account is logged in multiple times from multiple different IP addresses at once

Logging in from new IP address

Logged in from an implausible geo-location based on last login time and place

Deviation from normal working behaviors (e.g., off-hours inquiries, examining other departments’ accounts, inquiring on accounts from other states/ regions/countries)

Employee logged in without swiping badge

Why it matters?

With 78% of insider fraud and data theft carried out by authorised users employing simple, legitimate commands to manipulate systems and data.


Want to learn more about Bottomline's fraud and financial crime management?

Give us a call.

Our solution experts are here to help.

+44 118 925 8250

Chat with us.

Chat with one of our solution experts. We'll recommend the right product to fit your needs.

See how we can protect your business.

Tell us a bit about you and your business and we’ll get back to you with all the information you need.

footer curve