AMR.ALFAYOUMY
← HOME / PROJECTS / BANK MUSCAT FINANCIAL CRIME - BEHAVIORAL ANOMALY DETECTION
PRODUCTION · 2025-Present · AML and anomaly detection

Bank Muscat Financial Crime - Behavioral Anomaly Detection.

Data Scientist & AI/ML Engineer
Cairo, Egypt
Source: resume + original portfolio + LinkedIn

Two production behavioral anomaly detection models for Bank Muscat's conventional and Meethaq Islamic banking segments, built on two years of transactional and behavioral history and delivered as a full SAS Viya MLOps cycle for AML operations.

Customers
2M+
Bank Muscat operating scale
Features
120+
Behavioral and transactional signals
Sub-Models
12
3 algorithms × 4 customer cohorts
Alerts
200+/week
High-value AML review signals
Triage Time
~65% saved
Estimated compliance review-time reduction from explainable, risk-ranked alerts
// 02 — CHALLENGE
WHY IT MATTERED

Bank Muscat serves more than 2 million customers, so the AML model had to work at enterprise scale while staying efficient in runtime, memory footprint, and operational review volume.

The bank needed a path beyond rule-only alerting without losing control, explainability, or integration with compliance operations. The solution had to surface previously unseen behavioral abnormalities while still aligning with the bank's existing SAS AML investigation workflow.

Behavioral baselines differed sharply between conventional and Islamic banking, personal and corporate customers, and established versus thin-file entities. A single generic anomaly model would have blurred those populations and produced weaker signals.

// 03 — APPROACH
HOW I BUILT IT

I owned the architecture end to end: ETLs, stored procedures, feature generation, preprocessing, model training, batch scoring, score aggregation, explainability, alert text generation, and integration into the bank's anti-money laundering solution.

For training, I built a segmented modeling design with three complementary anomaly detection approaches multiplied across four cohorts: personal, corporate, personal thin-file, and corporate thin-file. Each model family was selected for a distinct strength, so the ensemble could capture multiple abnormality patterns without overloading production infrastructure.

For scoring, I designed a 12-step batch pipeline that moves from data ingestion and preprocessing into model scoring, global score normalization on a 0-100 scale, false-positive optimization and suppression, Low / Medium / High risk classification, per-model top-5 feature attribution, cross-model attribution aggregation, plain-language compliance narratives, and final delivery into SAS AML.

The MLOps layer was designed for recurring retraining and scheduled scoring through Control-M automation, with SAS Viya / SAS VDMML serving as the production model lifecycle platform.

// 04 — KEY DECISIONS
WHAT I CHOSE & WHY
Decision · 01

Use three anomaly lenses, not one flagship model

For a banking crime model, I did not trust a single detector to represent abnormality. I chose a controlled ensemble of complementary anomaly detection approaches because each fails differently and catches a different shape of risk. The decision gave compliance a broader signal surface without turning the system into an ungovernable model zoo.

Decision · 02

Separate thin-file accounts instead of forcing weak history

Thin-file customers do not have enough behavioral history to be judged by the same baselines as mature accounts. I split personal thin-file and corporate thin-file populations into their own cohorts so missing tenure did not masquerade as low risk or artificial anomaly. That separation protected model fairness, calibration, and investigator trust.

Decision · 03

Design explainability as an operations layer

I treated explainability as production infrastructure, not a notebook artifact. The layer extracts per-model top drivers, consolidates them across the ensemble, and turns them into plain-language AML narratives that investigators can act on quickly. The goal was efficiency: fewer opaque scores, faster triage, and a review queue that explains why each alert deserves attention.

Decision · 04

Calibrate risk after segmentation, then suppress noise

Conventional banking, Meethaq Islamic banking, personal customers, and corporate customers have materially different behavior. I routed first, scored within the right population, normalized onto a shared 0-100 risk scale, then applied false-positive suppression before AML delivery. That sequence kept the model sensitive to local behavior while giving the bank one operational language for risk.

// 05 — ARCHITECTURE
HOW IT FITS TOGETHER

The production flow is a governed batch-scoring architecture: core banking, customer, and AML history feed Oracle SQL feature factories that build two-year behavioral baselines. Customers are routed by banking segment and cohort, scored through three complementary anomaly families, normalized into a shared 0-100 risk scale, and delivered into SAS AML with explainable top-feature narratives for investigator review.

// FIG. SYSTEM DIAGRAM
SCALE 1:N
Bank Muscat behavioral anomaly detection high-level architecture Banking, customer, KYC, and AML history feed Oracle data contracts, two-year behavioral feature engineering, segment and cohort routing, parallel anomaly model families, score normalization, false-positive suppression, attribution, AML narratives, SAS AML delivery, and MLOps controls. SOURCE SYSTEMS DATA CONTRACTS FEATURE FACTORY SEGMENT ROUTING MODEL GRID SCORE GOVERNANCE AML DELIVERY MLOPS CONTROLS CORE BANKING TXNS channels · amounts · velocity · history CUSTOMER + KYC segments · tenure · profile depth AML HISTORY prior alerts · scenarios · outcomes scheduled batch extract ORACLE STAGING + RECONCILIATION CONTRACTS stored procedures · joins · quality checks · aligned customer and transaction grain validated feature inputs TWO-YEAR BEHAVIORAL FEATURE FACTORY 120+ engineered signals · peer baselines · velocity windows · novelty · profile completeness feature parity across training, scoring, retraining, and AML payload generation BANKING SEGMENT ROUTER conventional · Meethaq Islamic banking CUSTOMER COHORT ROUTER personal · corporate · personal thin-file · corporate thin-file ANOMALY FAMILY 01 behavioral outlier lens 4 routed cohort models ANOMALY FAMILY 02 peer-deviation lens 4 routed cohort models ANOMALY FAMILY 03 sparse-history lens 4 routed cohort models PER-MODEL SCORES raw outputs · top-5 drivers GLOBAL NORMALIZATION shared 0-100 risk language SUPPRESSION + TIERS threshold gates · Low / Medium / High ATTRIBUTION ROLLUP cross-model driver consolidation AML NARRATIVES plain-language alert text SAS AML CASE QUEUE investigator review workflow CONTROL-M scoring and retraining schedules MODEL LIFECYCLE SAS Viya · VDMML · CAS execution PRODUCTION MONITORING review volume · drift · alert quality
// 06 — HIGHLIGHTS
KEY TAKEAWAYS
▸ END-TO-END BANK-SCALE ARCHITECTURE

Architected the end-to-end solution for Oman's largest bank, covering conventional banking and the Meethaq Islamic banking segment.

▸ PARALLEL TRAINING + BATCH SCORING

Built highly parallelized training and batch-scoring pipelines across stored procedures, ETL layers, preprocessing, feature engineering, and model execution.

▸ TWO-YEAR BEHAVIORAL FEATURE FACTORY

Engineered 120+ behavioral features from two years of massive transactional and customer-behavior data.

▸ 3 x 4 SEGMENTED ANOMALY MODEL GRID

Trained and tuned three complementary anomaly detection model families across four cohorts: personal, corporate, personal thin-file, and corporate thin-file.

▸ GOVERNED 12-STEP AML SCORING PIPELINE

Implemented a 12-step scoring pipeline covering ingestion, preprocessing, scoring, aggregation, suppression, risk classification, explainability, alert narratives, and SAS AML integration.

// 07 — OUTCOMES
RESULTS AND LESSONS
  • Delivered a production AML anomaly detection capability that finds more than 200 high-value alerts weekly for compliance review.
  • Surfaced previously unseen behavioral abnormalities while also independently catching abnormal cases that overlapped with existing SAS AML rule-based scenarios in live production.
  • Gave compliance officers explainable, risk-ranked alerts with top contributing features and plain-text narratives instead of opaque model scores.
  • Improved AML operations with a repeatable MLOps cycle: automated scoring, retraining readiness, governed model execution, and direct investigator workflow integration.
  • Post-go-live client feedback was extremely positive, especially around the scale of the architecture, the quality of the alert explanations, and the usefulness of the production signals.
// 08 — STACK
THE TOOLS
ML
Unsupervised anomaly detectionEnsemble anomaly scoringFeature attribution
Data
Oracle SQLStored proceduresETL pipelines120+ engineered featuresTwo-year behavioral history
Platform
SAS ViyaSAS VDMMLCASSAS AML
Operations
Control-M automationBatch scoringModel retrainingFalse-positive suppressionExplainability