Domain Knowledge-Enhanced Process Mining for Anomaly Detection in Commercial Bank Business Processes

Abstract

Process anomaly detection in financial services systems is crucial for operational compliance and risk management. However, traditional process mining techniques frequently neglect the detection of significant low-frequency abnormalities due to their dependence on frequency and the inadequate incorporation of domain-specific knowledge. Therefore, we develop an enhanced process mining algorithm by incorporating a domain-specific follow-relationship matrix derived from standard operating procedures (SOPs). We empirically evaluated the effectiveness of the proposed algorithm based on real-world event logs from a corporate account-opening process conducted from January to December 2022 in a Chinese commercial bank. Additionally, we employed large language models (LLMs) for root cause analysis and process optimization recommendations. The empirical results demonstrate that the E-Heuristic Miner significantly outperforms traditional machine learning methods and process mining algorithms in process anomaly detection. Furthermore, the integration of LLMs provides promising capabilities in semantic reasoning and offers explainable optimization suggestions, enhancing decision-making support in complex financial scenarios. Our study significantly improves the precision of process anomaly detection in financial contexts by incorporating banking-specific domain knowledge into process mining algorithms. Meanwhile, it extends theoretical boundaries and the practical applicability of process mining in intelligent, semantic-aware financial service management.

1. Introduction

Operational management is a cornerstone of financial service systems. To ensure efficiency, security, and compliance in the delivery of financial services, operational management involves the rigorous planning and management of various operational activities, such as process design, performance analysis, productivity evaluation, risk prevention, and regulatory compliance [1,2]. With the rapid digitalization and automation of financial services [3], improving the operational quality and risk resilience of financial services has become an urgent issue for financial institutions [4]. As an important foundation of service operation management, business process management (BPM) has gradually received widespread attention from academia and the industry [5,6,7].

Commercial banks are essential providers of financial services. The standardization and efficiency of business processes significantly influence the overall quality of financial services and the compliance of risk management [8]. In 2005, the China Banking and Insurance Regulatory Commission (CBRC) advocated the transition of banking organizations from a “department-driven” to a “process-driven” model. However, limited by the traditional manual process combining method, the majority of banks largely depend on static, expert-driven standard operating procedures for process management. These methods have failed to adapt to the complex and dynamic business environment of contemporary banking. On the one hand, static flowcharts have difficulty representing the actual execution path of business processes. On the other hand, manual combing struggles to identify deviations between actual business processes and SOPs, which potentially hinders the recognition of operational risks. Additionally, the absence of automated and intelligent process analysis tools constrains the efficiency and precision of process management.

To address the limitations of traditional business process management, process mining technology has increasingly gained significant interest in the financial services sector as an essential tool for advancing financial digital transformation [9,10]. Process mining has integrated data mining and process modeling theory to rediscover actual business processes from event logs in information systems, thereby effectively detecting bottlenecks and deviations [11]. Although studies have validated the substantial theoretical insights of process mining [12,13,14,15], the majority predominantly emphasize innovations in algorithms and theoretical discussions [16,17,18], with limited empirical examinations of practical banking applications. Evidence from the BPI Challenge in banking domains suggests that Heuristic Miner algorithms utilize frequency thresholds to simplify process models [19,20,21], but these kinds of frequency-based methods may conceal low-frequency but potentially critical paths [22]. Furthermore, conventional process mining algorithms generally lack domain-specific knowledge because they do not account for established SOP rules during discovery. Normally, SOPs only appear during conformance checking. As a result, the rediscovered process models might omit important but infrequent SOPs, reducing their usefulness for compliance analysis. In sum, a significant gap remains regarding how to integrate banking-specific domain knowledge into process mining to improve the precision of process anomaly detection.

In this study, we address these gaps by developing an enhanced process mining algorithm that integrates domain-specific banking knowledge for process anomaly detection in commercial bank business processes. Specifically, we propose the E-Heuristic Miner algorithm, which incorporates a domain-specific follow-relationship matrix derived from the SOPs of banks into a traditional Heuristic Miner algorithm. This approach aims to preserve infrequent yet business-critical process paths, ensuring that low-frequency anomalies, such as procedural violations or rare fraud scenarios, are not overlooked by the mining process. At the same time, the algorithm highlights non-compliant paths; if an observed activity transition does not appear in the SOP-defined matrix, it is explicitly marked in the resulting process graph as a deviation node. Overall, the E-Heuristic Miner significantly improves anomaly detection precision and efficiency.

Additionally, we explore the potential applications of LLMs in semantic process analysis and intelligent process optimization to extend the research frontier of process management. As a form of intelligent post-processing, LLMs can produce natural language explanations of deviations and anomalies identified by the E-Heuristic Miner. Thus, non-technical stakeholders can understand the deviations without needing to interpret complex models, and they can use the LLM’s insights to inform remediation decisions or process improvements.

This research makes the following contributions:

• We propose and empirically validate the E-Heuristic Miner algorithm, a novel method integrating banking domain knowledge into process mining, which significantly enhances the precision of anomaly detection in commercial banking processes.
• We illustrate the practical utility and efficacy of the proposed method by conducting a thorough empirical analysis using real-world event logs from a commercial bank. This analysis provides a clear, data-driven path for process optimization.
• We expand the theoretical and practical boundaries of process management research by exploring the application of LLMs in semantic process understanding and process analysis.

The rest of this study is structured as follows. Section 2 presents the theoretical background of process mining and process anomaly detection methods. Section 3 describes the research method. Section 4 presents the case study and findings. Section 5 concludes this study and outlines future research.

2. Literature Review

2.1. The Concepts and Techniques of Process Mining

Process mining utilizes event log data in information systems to improve operational processes [23,24]. It establishes a connection between process science and data science and integrates event log data with process models, thus facilitating process analysis, identifying process bottlenecks, and enabling process prediction or enhancement. Process mining comprises three major research modules: process discovery, conformance checking, and process enhancement [11,16].

Process discovery aims to generate and rediscover actual process models from event logs. Combined with the knowledge of graph theory and process modeling languages, process discovery has developed several algorithms, such as Alpha Miner, Heuristic Miner, Fuzzy Miner, Inductive Miner, and Split Miner.

Table 1. Representative process discovery algorithms.

Algorithm	Graph Representation	Proposer
RNN, KTAIL, and Markov Miners	FSM, Markov chain	[25]
Agrawal Miner	DAG	[26]
Alpha Miner	WF-net	[27]
Heuristic Miner 1.0	WF-net	[28]
Genetic Miner 1.0	C-net	[29]
Heuristic Miner 2.0	C-net	[30]
Genetic Miner 2.0	Process Tree	[31]
Fuzzy Miner	DFG	[32]
ETM	Process Tree	[33]
Inductive Miner	Process Tree	[34]
Fodina Miner	C-net	[35]
Split Miner	BPMN	[36]

summarizes the main algorithms in process discovery, including the proposed time, the process modeling representation, and the proposer.

Figure 1 constructs a research evolution diagram of process discovery algorithms and their corresponding graph representation. The vertical axis categorizes algorithms based on their underlying discovery principles, ranging from statistical models and frequency-based methods to block-structured and filter-based approaches. The horizontal axis denotes the corresponding graph representation, which refers to the formal structures or process modeling languages used by these algorithms to express the control-flow logic of business processes.

Graph representation and graph theory are critical for process mining, reflecting the trade-off between model expressiveness and interpretability. Finite State Machines (FSMs) [25] and Directed Acyclic Graphs (DAGs) [26] emphasize probabilistic transitions and basic activity sequences. Workflow nets (WF-nets) derived from Petri net theory [27,28] can offer more precise semantics for modeling concurrency and synchronization. Both causal nets (C-nets) [29,30] and Directly-Follows Graphs (DFGs) [32] represent local ordering or dependency relationships between process activities extracted from event logs. While DFGs focus on common patterns directly following, C-nets emphasize inferred causal structures. Process trees are a kind of hierarchically structured representation [33,34], and BPMN can represent more complex and rich business process situations, such as parallel and conditional branches, loops, and exception handling [36].

Conformance checking can evaluate the quality of process models, which is crucial for diagnosing and analyzing discrepancies between event logs and process models. In conformance checking, we usually need to balance four quality dimensions: fitness, accuracy, generalization, and simplification [37].

The research perspectives of process mining are divided into the process (control flow), time, organizational, and case perspectives. The process perspective focuses on the control flow and the execution order of business process activities. Process discovery and conformance checking both focus on the process perspective. Process enhancement utilizes additional information (e.g., activity frequency and time duration) and adds the time, organization, and case perspectives to refine existing process models. It typically integrates machine learning and data mining techniques, thus enhancing analysis and adapting more effectively to dynamic operational situations. Recent advancements, such as the integration of LLMs with process mining [38] and the advent of large process models, indicate the evolution of process management toward more extensive and complicated intelligent systems [39].

2.2. Applications of Process Mining in Financial Services Operations

Process mining in financial services has been used in several scenarios, including loan approval and insurance claims. Contemporary research predominantly emphasizes process discovery and process enhancement, whereas conformance checking receives comparatively little attention. While conformance checking is essential for assuring process compliance in financial contexts, the complexity of implementing conformance checking and the requirement for in-depth analysis of process models and execution data mean related studies face a high technical threshold.

Table 2. Process mining in financial services operations.

Reference	Scenarios	Purpose	Research Modules	Perspectives	Algorithms
[9]	Insurance claim process	Business process optimization	Process discovery; process enhancement	Control flow; organization; case	Heuristic Miner
[40]	Insurance claim process	Risk monitoring and risk identification	Process discovery; process enhancement	Control flow; case	Heuristic Miner
[41]	Bank loan process	Process risk assessment; process risk identification	Process discovery; process enhancement	Control flow; case	Not mentioned
[20]	Bank loan process	Business process optimization; process prediction	Process discovery; process enhancement	Control flow; organization; case	Inductive Miner
[42]	Bank loan process	Business process analysis; process analysis framework	Process discovery; process enhancement	Control flow; time; case	Heuristic Miner Inductive Miner Fuzzy Miner
[43]	Bank loan process	Business process analysis and optimization; process variants analysis; process performance evaluation	Process discovery; process enhancement	Control flow; case	Not mentioned
[44]	Bank loan process	Concept drift; business process analysis	Process discovery	Control flow	Not mentioned
[45]	Bank loan process	Business process optimization; process prediction	Process discovery	Control flow	Not mentioned
[46]	Bank loan process	Business process analysis	Process discovery; process enhancement	Control flow; case	Fuzzy Miner
[47]	Bank loan process	Business process modeling analysis	Process discovery; conformance checking; process enhancement	Control flow; time; organization; case	Inductive Miner
[48]	Bank loan process	Business process analysis Process improvement based on Generative AI	Process discovery; process enhancement	Control flow; time; case	Fuzzy Miner

summarizes the relevant literature on the application of process mining in financial services operations.

In particular, we sorted financial service operation scenarios investigated in each study, mainly involving insurance claim handling and loan approvals. We also summarized the specific process-related problems or operational purposes that each study aimed to address using process mining techniques in each financial service scenario. For instance, some studies focus on business process optimization to improve efficiency or streamline operations, while others emphasize risk monitoring, compliance validation, or process performance evaluation. Furthermore, we classified research modules and research perspectives on process mining involved in each study.

Moreover, process mining studies on financial service operations predominantly rely on the Heuristic Miner and Fuzzy Miner due to their strong adaptability to complex and noisy business processes in banking. Heuristic Miner can extract dominant execution paths by leveraging activity dependency measures and frequency thresholds. Thus, it is particularly suitable for structured, high-frequency processes. Conversely, Fuzzy Miner applies automated clustering and abstraction to simplify the visualization of large-scale event logs, which makes it more appropriate for exploratory analysis.

2.3. Anomaly Detection Methods in Business Processes

Process anomaly detection is a crucial tool for ensuring compliance in corporate operations. Especially for commercial banks, compliance is intrinsically linked to financial security and risk management.

Conformance checking in process mining can identify deviations by aligning event logs with process models [49]. However, its effectiveness heavily depends on the model’s quality [50]. Statistical modeling approaches, such as Markov models [51] and association rule-based models [52], can capture the probabilistic characteristics of processes. However, these methods usually face parameter sensitivity and threshold dependence problems [53]. Additionally, clustering methods based on similarity between process models can effectively identify anomalous trajectories that deviate from mainstream patterns [54]. Inspired by natural language processing, Word2Vec can capture semantic similarities between process activities by mapping business process text data into a continuous vector space, thus adding a semantic dimension to anomaly detection [55,56].

2.4. Summary of Research Gap and Practical Motivation

Although relevant studies have demonstrated the potential of process mining in finance, the depth of its integration with real banking situations remains limited. Due to the complexity of financial business processes and the widespread existence of unstructured processes, applying process mining technology in the financial sector faces many challenges. In addition, the industry’s ability to integrate technical insights with domain-specific knowledge remains underdeveloped. Current approaches often fail to incorporate bank-specific domain knowledge, thereby limiting their practical effectiveness in anomaly detection.

Given these critical gaps, this study aims to develop a novel, domain knowledge-integrated process mining algorithm specifically designed for anomaly detection in banking contexts. Given the strict compliance requirements embedded in banking standard operating procedures and the need to distinguish between normative and exceptional paths, this study chooses to enhance the Heuristic Miner algorithm. Its explicit modeling of activity dependencies enables the seamless integration of domain knowledge via a follow-relationship matrix, thereby improving the detection and retention of low-frequency yet critical deviations.

3. Methodology

Process Anomaly Algorithm: E-Heuristic Miner

Heuristic Miner was initially proposed by A.J.M.M. Weijters et al. in 2003 and subsequently refined in 2006 [28,30]. It can rediscover actual process models from event logs based on direct dependency relationships between activities. By introducing dependency measures and setting thresholds, Heuristic Miner can filter out edges with low frequency and insufficient importance to simplify the process model. Therefore, it has the potential to enhance the readability of process models, suppress noise, and emphasize the main process structures. It has been particularly effective in addressing complex real-world processes, such as those commonly found in banking operations, where irregular behaviors and low-frequency deviations often exist.

However, the traditional Heuristic Miner algorithm relies solely on activity frequency and dependency measures to filter out low-frequency paths. These low-frequency paths may suggest critical operational risks or compliance violations in the banking context. They may also represent critical anomalies, special business scenarios, design flaws within information systems, or the irregular operational behaviors of employees. Thus, the algorithm only filters these paths using frequency results, leading to inadequate anomaly identification and potentially missing critical risk-related information included in these infrequent activities. Additionally, the original algorithm does not leverage domain-specific knowledge embedded in SOPs, limiting its capacity to accurately detect deviations of high practical importance.

To overcome these shortcomings, this study proposes an enhanced Heuristic Miner algorithm, which we call E-Heuristic Miner. The primary innovation of E-Heuristic Miner lies in its integration of banking-specific domain knowledge into the traditional heuristic mining framework. The banking-specific domain knowledge is represented by the follow-up relationship matrix produced from SOPs.

Specifically, E-Heuristic Miner includes the following four steps:

1.

Extract domain knowledge from a bank’s standard operating procedure and build a follow-up relationship matrix. Based on the explicit sequential relationship between each activity in the bank’s SOP, we can develop a follow-up relationship matrix. It contains two levels of information: process activity and activity sequence relationship information. Each element in the matrix represents the direct follow-up relationship between two activity nodes. For example, the corresponding element value in the matrix is 1 if activity A directly follows activity B and 0 if there is no direct follow-up relationship. Specifically, the formula is as follows:

$$follo{w}_{a,b}=\left\{\begin{array}{c}0, a{\ngtr }_{L}b\\ 1, a{>}_{L}b\end{array}\right.$$

(1)

2.

Calculate the dependency index between activities to construct a dependency/frequency table (D/F table) to count the frequency of dependency relationships between activities in event logs. The calculation method for dependency is as follows:

Let L be an event log over ζ, i.e., $L \subseteq {\zeta }^{*}$. Let a, b ∈ ζ: $a{>}_L\mathrm{b}$ if there is a trace $\sigma =t_1{t}_2{t}_3 \dots t_n$ and $i \in \{1, \dots , n-1\}$ such that $\sigma \in L$ and $t_i=a$ and $t_{i+1}=b$. Here, $\left|a{>}_L\mathrm{b}\right|$ is the number of times $a{>}_L\mathrm{b}$ occurs in L:

$$\mid {a>}_{L}b\mid =\sum _{\sigma \in L}L\left(\sigma \right)\times \left|\left\{1⩽i⩽\left|\sigma \right| ∣ \sigma \left(i\right)=a\wedge \sigma \left(i+1\right)=b\right\}\right|$$

(2)

$a{\Rightarrow }_{L}b$ indicates the dependency value between a and b. The traditional formula for dependency is as follows:

$$\mid a{\Rightarrow }_{L}b\mid =\left\{\begin{array}{cc}{\displaystyle \frac{\mid a{>}_{L}b\mid -\mid b{>}_{L}a\mid }{\mid a{>}_{L}b\mid +\mid b{>}_{L}a\mid +1}}& if a\ne b\\ {\displaystyle \frac{\mid a{>}_{L}a\mid }{\mid a{>}_{L}a\mid +1}}& if a=b\end{array}\right.$$

(3)

The value of $\left|a{\Rightarrow }_{L}b\right|$ is always between −1 and 1. If it is close to 1, there is a strong positive dependency between a and b, where a is the cause of b. If it is close to −1, there is a strong negative dependency, where b is the cause of a. If a is the same as b, it means there is a loop and a strong reflexive relationship.

The importance of each path is re-evaluated in light of the domain knowledge recorded in the follow-up relationship matrix and the actual dependency of each path. The dependency calculation formula will retain and assign greater weights to the paths that deviate from the standard path and have low frequencies. The retention of the normal paths will be determined by the calculated dependency value and the established threshold. This innovation simplifies the process model to the greatest extent possible while also preserving the deviation path. The innovative dependency calculation is as follows:

$$\mid a{\Rightarrow }_{L}b\mid =\left\{\begin{array}{cc}\rho {\displaystyle \frac{\mid a{>}_{L}b\mid -\mid b{>}_{L}a\mid }{\mid a{>}_{L}b\mid +\mid b{>}_{L}a\mid +1}}+\left(1-\rho \right)& if a\ne b\\ \rho {\displaystyle \frac{\mid a{>}_{L}a\mid }{\mid a{>}_{L}a\mid +1}}+\left(1-\rho \right)& if a=b\end{array}\right.$$

(4)

$$\begin{array}{l}{color}_{a_i or \mid {a>}_{L}b\mid }\\ =\left\{\begin{array}{c}\rho \ast dotted+\left(1-\rho \right)\ast dotted and {label}_{\mid {a>}_{L}b\mid }={\displaystyle \frac{\mid a{>}_{L}b\mid -\mid b{>}_{L}a\mid }{\mid a{>}_{L}b\mid +\mid b{>}_{L}a\mid +1}}\\ \rho \ast dotted+\left(1-\rho \right)\ast solid and {label}_{\mid {a>}_{L}b\mid }={\displaystyle \frac{\mid a{>}_{L}b\mid -\mid b{>}_{L}a\mid }{\mid a{>}_{L}b\mid +\mid b{>}_{L}a\mid +1}} \end{array}\right.\end{array}$$

(5)

$\rho$ is the value in the follow-up relationship matrix. In addition, ${color}_{\mid {a>}_{L}b\mid }$ represents the color of activities and paths in the process. If there is a deviation from the activity or path, it will be colored.

3.

Convert the D/F table into a D/F graph and generate DFGs from the D/F graph. Note that this study utilized the PM4PY API tool to analyze business processes instead of relying on tools like Disco or ProM [57].

In summary, Algorithm A1 presents the implementation of E-Heuristic Miner (see Appendix A). We set the threshold $\theta$ equal to 0.5 in the algorithm, following commonly used defaults in the literature and existing tools such as the pm4py framework. By dynamically adjusting the dependency calculation of activity paths through this embedded matrix, E-Heuristic Miner significantly enhances its sensitivity to important but rare abnormalities and can identify deviations from expected business practices with greater precision. Thus, it not only maintains the interpretability and visualization advantages of the original Heuristic Miner but also substantially improves the accuracy and effectiveness of anomaly detection within complex banking process environments.

4. Empirical Study and Results

4.1. Data Source and Business Analysis

Constrained by the availability of SOPs, data confidentiality, and institutional restrictions, we chose to analyze the corporate account-opening process from one commercial bank subject to standardized regulatory oversight and exhibiting clear process structures with known variations and compliance risks. Broader access to SOPs and event logs was not possible because such internal process documentation is typically classified and not publicly shared.

Corporate banking services refer to various financial services provided by banks to legal clients such as companies and institutions. The bank we selected has 15 activities in its corporate account-opening business processes, which comprehensively address two typical scenarios: successful and failed account opening. The event logs cover the entire year of 2022. The starting activity node is “Pre-application has been submitted for review”, while the end activity node is “Next-day review has been completed”. The corporate account-opening business process is effectively managed when the process executes to the “Completed and waiting for evaluation” status. Meanwhile, it has failed if the process executes to “Pre-review rejected (in-bank cancellation)” or “On-site review failed and order withdrawn (in-bank cancellation)”. The standard operating procedure of the corporate account-opening business process is shown in Figure 2.

We have addressed sensitive data in the event logs used in this study. The event logs consist of three components: “caseID”, “activity”, and “DateTime” (the execution time of the activity). A trace is used to represent each case, containing specified execution steps known as “activities”.

Table 3. Event logs for the corporate account-opening business process (partial).

Case ID	Activity	Date Time
B1xxxxxxxx448632	Pre-application has been submitted for review	2022-01-02 19:24:01
	Under pre-review at the bank’s preliminary review post	2022-01-04 08:55:23
	Pre-review has been completed and pending processing by the branch.	2022-01-04 08:59:24
	The branch is preparing.	2022-01-10 09:24:31
	……	……
B1xxxxxxxx454247	Pre-application has been submitted for review	2022-01-03 19:41:48
	Open electronic channel pre-filled form	2022-01-03 19:41:48
	Under pre-review at the bank’s preliminary review post	2022-01-04 09:04:14
	……	……
……	……	……

illustrates a portion of the corporate account-opening business event logs.

We utilized the process mining tools ProM and PM4PY API to conduct an overall analysis of the business.

Table 4. Sorting of process activity execution frequency.

Activity	Activity Number	Frequency	Proportion
Scanned for review the next day	HE01	62,199	20.00%
Under pre-review at the bank’s preliminary review post	H2	34,785	11.18%
Pre-application has been submitted for review	H1	33,911	10.90%
Pre-review has been completed and pending processing by the branch.	H5	23,359	7.51%
The branch is preparing.	H8	23,087	7.42%
Counter business activated and accepted	H9	22,600	7.27%
Completed and waiting for evaluation	H14	22,552	7.25%
Account opening completed	H12	22,552	7.25%
Items handed over, and the customer left the counter	H13	22,552	7.25%
Next-day review has been completed	HE03	21,277	6.84%
Pre-review waiting for customer to modify/supplement information	H3	8925	2.87%
Open electronic channel pre-filled form	H90	6994	2.25%
Next-day review returned and modified	HE02	2845	0.92%
Pre-review rejected	H4	1627	0.52%
Customer has withdrawn the order	H99	1221	0.39%
Customer has evaluated	H24	355	0.11%
On-site review failed and order withdrawn	H11	184	0.06%
Customer has appointed	H97	28	0.01%
Customer has obtained appointment number	H98	1	0.00%

shows the number of activities and their frequencies. The highest number of executions is for “Scanned for review the next day” with 62,199 times, while the lowest number of executions is for “Customer has appointed” with 1 time. In addition, four activities do not exist in the SOP.

We conducted a systematic statistical analysis of event logs and generated the corresponding activity trajectory diagram to analyze the actual execution of the case bank’s account-opening business, as illustrated in Figure 3. The results indicate that the shortest case only involves three activities, while the longest case involves as many as 46 activities. Overall, the average number of activities for each case is about 12. In addition, we analyzed the completion time required for each case. According to Figure 4, the cycle for the majority of account-opening businesses is controlled within 10 days.

Additionally, identified potential bottlenecks in the account-opening business and performed a comprehensive analysis of the execution duration of each activity node in the process model based on completion time distribution. According to

Table 5. Consuming time for corporate account-opening business activities.

Activity	Average Completion Time (Activity)	Variance of Execution Completion Time (Activity)	Average Completion Time (Case)	Variance of Completion Time (Case)
Customer has evaluated	7.57 days	16.29 days	5.57 days	8.22 days
On-site review failed and order withdrawn	4.58 days	10.25 days
Counter business activated and accepted	2.45 days	4.86 days
Next-day review has been completed	1.47 days	1.12 days
Next-day review returned and modified	1.44 days	2.31 days
Completed and waiting for evaluation	23.69 h	6.21 days
Branch is preparing	23.57 h	2.63 days
Scanned for review the next day	14.03 h	1.34 days
Customer has withdrawn the order	10.2 h	3.11 days
Under pre-review at the bank’s preliminary review post	3.33 h	21.05 h
Pre-application has been submitted for review	2.86 h	20.44 h
Customer has appointed	1.26 h	2.21 h
Pre-review has been completed and pending processing by the branch	8.86 min	41.98 min
Account opening completed	8.50 min	1.45 h
Pre-review rejected	6.42 min	11.51 min
Pre-review waiting for customer to modify/supplement information	2.76 min	41.41 min
Items handed over, and the customer left the counter	1.46 min	1.12 h
Open electronic channel pre-filled form	1.4 min	42 min
Customer has obtained appointment number	-	-

, the main bottlenecks involve “Customer has evaluated” (average time of about 7.57 days), “On-site review failed and order withdrawn” (average time of about 4.58 days), and “Counter business activated and accepted” (average time of about 2.45 days). It should be noted that “Scanned for review the next day” (average time of about 14.03 h) exhibits evident repeated operations, indicating a possible bottleneck in the business process. It is thus necessary to further analyze the business or management reasons to formulate targeted optimization measures.

Considering the data characteristics and potential bottlenecks, we applied the E-Heuristic Miner algorithm in the following section to detect process anomalies.

4.2. Process Anomaly Detection Based on E-Heuristic Miner

In this subsection, we demonstrate the effectiveness of E-Heuristic Miner and compare it with other machine learning methods.

4.2.1. The Effectiveness of E-Heuristic Miner

Using E-Heuristic Miner, we constructed a follow-up relationship matrix based on the SOP of the corporate account-opening business. Activities not included in the matrix identified in event logs may indicate anomalous behaviors. If the activities in event logs do not align with the specification of the follow-up relationship matrix, this indicates potential risk paths or deviation paths in the business process. Then, we performed process mining and deviation path identification on the case bank’s corporate account-opening business. The process model is shown in Figure 5.

$$\mathrm{Follow}=\begin{array}{cc}& \begin{array}{ccccccccccccccccc}\mathrm{start}& H_{E01}& H_2& H_1& H_5& H_8& H_9& H_{12}& H_{14}& H_{13}& H_{E03}& H_3& H_{E02}& H_4& H_{24}& H_{11}& \mathrm{end}\end{array}\\ \begin{array}{c}\mathrm{start}\\ H_{E01}\\ H_2\\ H_1\\ H_5\\ H_8\\ H_9\\ H_{12}\\ H_{14}\\ H_{13}\\ H_{E03}\\ H_3\\ H_{E02}\\ H_4\\ H_{24}\\ H_{11}\\ \mathrm{end}\end{array}& \left(\begin{array}{ccccccccccccccccc}0& 1& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\end{array}\right)\end{array}$$

(6)

In Figure 5, the colored activities denote those that appear in the event log but are not defined in the SOP, thus referred to as deviation activities. The red lines represent the direct follow-up relationships between activities that exist in the event log but are not defined in the SOP, referred to as deviation paths. The numbers above the lines linking the activities represent the frequency of executions, while the numbers below represent the dependency values calculated by the E-Heuristic Miner algorithm. The higher the dependency value, the higher the execution frequency of the path between two adjacent activity nodes. The paths connected to “start” and “end” do not indicate the dependency value.

In addition, to verify the effectiveness of the E-Heuristic Miner algorithm, we utilized four indicators to assess the quality of process models and selected other traditional process discovery algorithms for comparative experiments. Fitness, accuracy, generalization, and simplification are the four quality dimensions that must be balanced [37,58].

• Fitness requires that the discovered model allows for the behavior seen in the event log. Formally, the fitness for a trace, $\sigma$, given a WF-net, $N$, is computed as follows:

  $$Fitness\left(L,N\right)={\displaystyle \frac{1}{2}}\left(1-{\displaystyle \frac{{\sum }_{\sigma \in L}{m}_{N,\sigma }}{{\sum }_{\sigma \in L}{c}_{N,\sigma }}}\right)+{\displaystyle \frac{1}{2}}\left(1-{\displaystyle \frac{{\sum }_{\sigma \in L}L\left(\sigma \right)\times r_{N,\sigma }}{{\sum }_{\sigma \in L}L\left(\sigma \right)\times p_{N,\sigma }}}\right)$$

  (7)

  where $m$ represents missing tokens; $c$ represents consumed tokens; $p$ represents produced tokens; and $r$represents remaining tokens.
• Precision assesses whether the discovered model allows for behavior completely unrelated to what has been observed in the event log. Let $E\subseteq \epsilon$ represent the set of events in the event log, L. For any event $e\in E$, let ${en}_N\left(e\right)$ denote the set of activities enabled by the process model, $N$, following the context of event $e$. In other words, if we look at the state of the model just before event e occurs, ${en}_N\left(e\right)$ is the set of all possible next activities that model N allows from that state. ${en}_L\left(e\right)$ denotes the set of activities enabled in log $L$ after the context of event $e$. Since an event e in the log has a particular prefix, ${en}_L\left(e\right)$ represents the activities that were actually observed next in the log whenever that same state was reached. Precision is calculated as

  $$Precision\left(L,N\right)={\displaystyle \frac{1}{\left|E\right|}}\sum _{e\in E}{\displaystyle \frac{\left|{en}_L\left(e\right)\right|}{\left|{en}_N\left(e\right)\right|}}$$

  (8)
  If precision is high, the discovered model does not allow for much more behavior than observed. Hence, $\left|{en}_N\left(e\right)\right| \approx \left|{en}_L\left(e\right)\right|$. If precision is low, the discovered model allows for much more behavior than observed. Hence, $\left|{en}_N\left(e\right)\right| \ge \left|{en}_L\left(e\right)\right|$.
• Generalization measures the discovered model’s ability to generalize the example behavior seen in the event log. Generalization is calculated as

  $$Generalization\left(L,N\right)=1-{\displaystyle \frac{\sum _{nodes} (\sqrt{\#executions}{)}^{-1}}{\#nodes}}$$

  (9)
  Here, “nodes” represent the set of nodes (activities) in the process model, $N$, and $\#nodes$ is the total number of nodes. For each node, $\#executions$ denotes the number of times that node was executed in the event log, $L$.
• Simplicity addresses the structural complexity of the process model. Simplicity is calculated as

  $$Simplicity\left(L,N\right)={\displaystyle \frac{1}{1+\mathit{max}\left(mea{n}_{degree}-k, 0\right)}}$$

  (10)

  where $mea{n}_{degree}$ is calculated as the average number of incoming and outgoing arcs per node in the process model, and k is a non-negative constant chosen as a baseline for comparison. Here, we set k as 2, adhering to the PM4PY API.

As illustrated in

Table 6. Results of process quality assessment.

Indicators	Alpha Miner	Alpha + Miner	E-Heuristic Miner	Inductive Miner
Success/Failure	Failure	Failure	Success	Success
Fitness	-	-	0.911	1.0
Precision	-	-	0.989	0.131
Generalization	-	-	0.845	0.940
Simplicity	-	-	0.495	0.522

, the Alpha and Alpha+ algorithms failed to successfully mine a process model because they could not effectively handle structural problems such as short loops. The Inductive Miner algorithm showed outstanding fitness, generalization, and simplicity, but performed poorly in precision. The performance of the E-Heuristic Miner algorithm was relatively balanced in the four indicators, so it is more suitable for complex banking business process scenarios.

The E-Heuristic Miner results indicate that only 10,318 cases in the corporate account-opening activity of the case bank adhered strictly to the SOP, representing 40.33%. As illustrated in

Table 7. Analysis of deviation in corporate account-opening business in the case of the bank.

Deviation Ratio of Activities	Deviation Ratio of Paths	Deviation Ratio of Cases
21.05%	9.00%	59.67%

, the deviation ratio of cases is 59.67% and these cases exhibited differing levels of deviance, mainly centering on deviation activities and deviation paths. The deviation activities emerged primarily from parts of the actual process that are invisible to managers. Current process design and process optimization mostly rely on expert experience, leading to the delayed incorporation of new activities into the SOP. It is easy to generate compliance risks in business processes. The emergence of deviation paths may also be affected by the subjective operations of bank employees.

After discussion with the case bank’s business experts, we attributed the deviation path “On-site review failed and order withdrawn → Branch is preparing” to personnel operation factors, and the rest were classified as customer factors, IT system problems, and management failure factors. The proportion of deviation cases and paths caused by personnel operation factors is shown in Figure 6.

4.2.2. Comparison of Deviation Detection Methods

In this section, we compare machine learning methods with the E-Heuristic Miner algorithm in terms of their abilities in process anomaly detection within the context of commercial banking. The machine learning models involved include the following: SVM + PCA, KNN, Word2Vec, and LSTM. SVM + PCA can accurately distinguish between normal and abnormal processes by constructing the optimal classification hyperspace in the high-dimensional feature space and removing redundant information and noise [59]. KNN can classify anomalies based on the similarity distance between cases [60]. Word2Vec can capture the semantic similarity between activities and provide an anomaly identification method in the semantic dimension [61]. LSTM can effectively utilize the historical process data and identify potential abnormal patterns due to its excellent ability to capture long sequence dependencies [62].

One-Class SVM: To characterize the behavior of process execution durations, we extracted four key statistical features from the execution time of each process instance: the minimum ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{i}\mathrm{n}$), maximum ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{a}\mathrm{x}$), mean ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{e}\mathrm{a}\mathrm{n}$), and standard deviation ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{s}\mathrm{t}\mathrm{d}$) of the time differences. We trained a One-Class SVM model to identify anomalous process instances. To interpret the trained model and understand which features contribute most to anomaly detection, we employed permutation feature importance. Figure 7 indicated that $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{s}\mathrm{t}\mathrm{d}$ and $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{a}\mathrm{x}$ were particularly sensitive to anomalies characterized by substantial temporal fluctuations, while $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{i}\mathrm{n}$ and $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{e}\mathrm{a}\mathrm{n}$ generally reflected efficiency issues but were less sensitive to identifying distinct anomalies. As a result, we identified 1280 anomalous cases out of 24,604 normal cases.

PCA: Referring to the four statistical features used in SVM, we added another feature: the number of activities. Thus, we utilized five features for PCA: the minimum ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{i}\mathrm{n}$), maximum ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{a}\mathrm{x}$), mean ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{m}\mathrm{e}\mathrm{a}\mathrm{n}$), standard deviation ($\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\_\mathrm{s}\mathrm{t}\mathrm{d}$) of the time differences, and number of activities ($\mathrm{a}\mathrm{c}\mathrm{t}\mathrm{i}\mathrm{v}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{y}\_\mathrm{c}\mathrm{o}\mathrm{u}\mathrm{n}\mathrm{t}$). We first reduced the dimensionality to two principal components; then, we applied reconstruction error for anomaly detection. An anomaly threshold was defined at a 95% confidence interval. The results are shown in Figure 8. We finally identified 1280 anomalous cases out of 24,604 normal cases based on PCA.

KNN: We selected each case’s execution duration and encoded process variants. We hypothesized that processes of the same category would exhibit similar execution durations and structural patterns, whereas anomalous cases would deviate significantly in duration or structure. Using the elbow method, we determined that 10 clusters provided the optimal partitioning. As shown in Figure 9, the largest cluster contained 24,711 cases and was designated as normal, while the remaining nine clusters were labeled anomalous.

LSTM: We encoded and normalized activity sequences for each case as inputs to the LSTM. The autoencoder consists of an encoder–decoder pair: the encoder compresses each activity sequence into a latent representation, and the decoder reconstructs the original sequence from this compressed embedding. The model was trained to minimize the reconstruction error between the input sequence and its reconstruction. Specifically, the Mean Squared Error (MSE) was used as the loss function to reproduce normal cases (low error) while amplifying deviations for anomalous cases. For optimization, the Adam optimizer was employed with a learning rate of 0.01. The model was trained for 10 epochs. As we can see from Figure 10, over the course of training, the loss steadily decreased and eventually converged, indicating that the autoencoder successfully learned the regular patterns in the data.

After training, the LSTM autoencoder was used to reconstruct each case’s activity sequence, and a reconstruction error was computed for every case. An anomaly detection mechanism was then applied by comparing each case’s error to a threshold. We defined the anomaly threshold as the mean reconstruction error across all cases plus two standard deviations (i.e., threshold = μ + 2σ). Figure 11 illustrates a scatter plot of reconstruction errors for all process cases, with the anomaly threshold and identified anomalies highlighted.

Word2Vec: We further explored semantic embedding techniques by applying Word2Vec to measure semantic similarity between adjacent activities within process cases. By averaging the cosine similarities of all adjacent activity pairs, each case was assigned an average similarity score indicating the semantic coherence of its sequence. To identify anomalies, a threshold can be defined as the mean of these average similarity scores minus one standard deviation. In our analysis, this threshold was 0.7607, meaning any case whose average similarity fell below 0.7607 was flagged as anomalous. In Figure 12, a black dashed line denotes the anomaly threshold at 0.7607. Cases to the right of this line (blue bars) have similarity above the threshold and are considered normal, while cases to the left (orange bars) fall below 0.7607 and are classified as anomalies. Based on this threshold, 4406 out of 23,779 cases (≈18.5%) were identified as anomalous in the depicted dataset. The underlying logic is that low average similarity signals an irregular sequence of activities, thereby indicating potential process anomalies.

We summarize the number of process anomalies identified by each algorithm in

Table 8. Process anomaly detection results.

Algorithm	Number of Cases in Process Anomalies
E-Heuristic Miner	15,266
One-Class SVM	1280
PCA	1280
KNN	873
LSTM	822
Word2Vec	4406

.

To quantitatively assess the effectiveness of each algorithm in detecting meaningful process anomalies, we defined three types of business-relevant anomalies based on domain knowledge according to the bank’s SOP, as follows:

(1)

Cases where the special deviation path of “On-site review failed and order withdrawn → Branch is preparing” exists.

(2)

Cases where the execution time of the activity exceeds 20 days. (Note: the average duration for completing the account-opening process in the case bank is 10 days.)

(3)

Cases where the number of activities exceeds 24. (Note: the average number of executed activities for the case bank’s account-opening business is 12.)

Other cases are classified as positive instances. All remaining cases were considered normal. These SOP-based definitions served as the ground truth to evaluate the proportion of each algorithm’s identified anomalies that align with actual business exceptions. The results of the comparison are shown in

Table 9. Comparison of deviation detection methods.

Algorithm	The Number and Accuracy of (1) Identified	The Number and Accuracy of (2) and (3) Identified
E-Heuristic Miner	11 (100%)	782 (100%)
One-Class SVM	2 (18.18%)	708 (90.54%)
PCA	0 (0.00%)	686 (87.72%)
KNN	0 (0.00%)	95 (12.15%)
LSTM	0 (0.00%)	54 (6.91%)
Word2Vec	0 (0.00%)	17 (2.17%)

.

Overall, traditional machine learning methods perform poorly in process anomaly detection. The One-Class SVM and PCA algorithms perform well in detecting abnormal cases with bottlenecks and activity quantities, but cannot effectively capture abnormal cases with deviation paths. While KNN can partially identify cases with bottlenecks, its overall detection accuracy remains low. Word2Vec and LSTM mainly rely on the sequential characteristics of activities. Although they can identify abnormal cases where the activity sequence markedly diverges from the standard sequence, they are obviously insufficient in detecting local subtle deviation paths (such as the specific path of “On-site review failed and order withdrawn → Branch is preparing”). As a word-vector-embedding model, Word2Vec essentially learns a semantic relationship between activities, ignoring sequential, concurrency, and hierarchical information in the process. Thus, it fails to reveal complex process dependencies. Meanwhile, LSTM fails to fully leverage the time attributes in the process. The detected anomalies are primarily confined to cases involving a minimal number of activities (e.g., customer cancellations), an extensive number of loops, or specific activities (e.g., “Customer has appointed”), while the identification of general bottlenecks and local deviation paths is ineffective.

In comparison, the E-Heuristic Miner method can not only accurately identify deviation activities and deviation paths by integrating domain knowledge and clear business rules, but is also more sensitive to local anomalies with subtle differences. It significantly compensates for the shortcomings of traditional machine learning methods. Therefore, the E-Heuristic Miner method is more suitable for process anomaly detection in real banking scenarios.

4.3. LLM-Driven Process Anomaly Analysis and Process Optimization Analysis

With the rapid development of LLMs, their excellent natural language-understanding abilities, powerful pattern recognition, and induction abilities open up new opportunities for process analysis. Beyond traditional process mining methods, LLMs can explain the root causes of business processes and propose effective improvement plans. However, it is currently difficult to directly input multiple event log data as prompts in LLMs at one time. Thus, we adopted a two-stage abstraction method inspired by Berti et al. [40]. First, we used the PM4PY API tool to abstract structured process variants or Petri nets from the event logs, which are recorded in a textual format. Then, we transformed abstracted process information and queries relevant to process anomaly analysis into prompts and submitted them to LLMs to obtain the output results. Examples of input contents are shown in

Table 10. Inputting the textual abstraction of the process variant into GPT 4.5.

Input Text

Pre-application has been submitted for review -> Under pre-review at the bank’s preliminary review post -> Pre-review has been completed and pending processing by the branch -> Branch is preparing -> Counter business activated and accepted -> Account opening completed -> Items handed over and the customer left the counter -> Completed and waiting for evaluation -> Scanned for review the next day -> Scanned for review the next day -> Scanned for review the next day (frequency = 3334 performance = 420,942.921) Pre-application has been submitted for review -> Under pre-review at the bank’s preliminary review post -> Pre-review has been completed and pending processing by the branch -> Branch is preparing -> Counter business activated and accepted -> Account opening completed -> Items handed over and the customer left the counter -> Completed and waiting for evaluation -> Scanned for review the next day -> Scanned for review the next day -> Scanned for review the next day (frequency = 3172 performance = 454,041.715) Pre-application has been submitted for review -> Under pre-review at the bank’s preliminary review post -> Pre-review has been completed and pending processing by the branch -> Branch is preparing -> Counter business activated and accepted -> Account opening completed -> Items handed over and the customer left the counter -> Completed and waiting for evaluation -> Scanned for review the next day -> Scanned for review the next day -> Scanned for review the next day (frequency = 1567 performance = 425,102.106) …… What are the root causes of issues in the process? Please provide only process and data specific considerations.

and

Table 11. Inputting Petri net text into GPT 4.5.

Input Text

If I have a Petri net: places: [ p_10, p_11, p_12, p_14, p_15, p_16, p_17, p_19, p_20, p_23, p_24, p_26, p_27, p_28, p_29, p_3, p_30, p_31, p_32, p_33, p_34, p_35, p_37, p_38, p_39, p_4, p_40, p_41, p_42, p_43, p_45, p_46, p_47, p_48, p_49, p_5, p_51, p_52, p_53, p_54, p_55, p_7, p_8, p_9, sink, source] transitions: [ (0281b5d2-8984-475f-9fef-38bf648715db, “Customer has appointed”), (0803a375-70b2-4982-a1c7-2b69d3416a7f, “Branch is preparing”), ……)] arcs: [ (0281b5d2-8984-475f-9fef-38bf648715db, “Customer has appointed”) -> p_35, (0803a375-70b2-4982-a1c7-2b69d3416a7f, “Branch is preparing”)->……] initial marking: [“source:1”] final marking: [“sink:1”] Can you provide suggestions to improve the process model based on your domain knowledge?

.

Table 12. Process optimization analysis results from GPT 4.5.

Bottlenecks	Analysis	Suggestions
“Scanned and waiting for next day review” is repeated	“Scanned and waiting for next day review” occurs 2–4 times, which indicates that there may be review delays or redundant steps, which impede the prompt completion of business process.	OCR + real-time review can reduce repeated scanning
“Pre-review pending customer modification/supplementary information” is stuck in a loop	“pre-review pending customer modification/supplementary information” occurs in multiple cycles and loops.	AI can help identify missing information and bring up all issues at once. It can also help customers modify or submit online.
The position of “Completed and waiting for evaluation” is not unified	In some cases, “Completed and waiting for evaluation” occurs before or after “Scanned and waiting for next day review”. This means that there is a logical ambiguity or parallel problem between the evaluation process and the next-day review.	Unifies the evaluation order and provides an online evaluation channel
High customer order cancellation rate	For example, after “Pre-review pending customer modification/supplementary information”, the frequency of customer order cancellation is 166. After “Pre-review has been completed and pending processing by the branch”, the frequency of customer order cancellation is 191. After multiple loops of “Pre-review pending customer modification/supplementary information” -> “Pre-application has been submitted for review”, the customer cancels the order.	(1) Identifies and reduces non-business value nodes such as “customer order cancellation”, “Pre-review rejected”, and “On-site review failed and order withdrawn”. These states may represent abnormal termination. If they constitute an excessively high proportion in the process, it may indicate that the customer experience is poor or that the bank’s pre-review criteria are ambiguous or too strict. (2) Introduces automated review mechanisms to reduce inefficient manual review.
Frequent pre-review rejection	Pre-review rejections have occurred many times, indicating that the customer’s specific requirements may not be fully informed during the initial review or solutions may not be provided in a timely manner.	Provides information about risks in advance and recommends alternatives.

illustrates the process optimization suggestions provided by GPT 4.5.

LLMs can execute semantic reasoning and logical analysis based on process information (including process variants and Petri nets), as well as textual prompts. Despite their promising insights, LLM-generated recommendations still require validation through domain experts due to potential limitations such as domain-specific knowledge gaps and context understanding. In particular, current general-purpose LLMs lack professionalism and domain knowledge, which may result in recommendations that are linguistically plausible but misaligned with institutional policies. Additionally, LLMs may fail to fully account for implicit business logic or operational nuances that domain experts would naturally consider. This introduces a risk of over-reliance on surface-level textual associations rather than grounded process insights.

Therefore, we emphasize that LLM-generated explanations and suggestions should be treated as preliminary and supportive rather than authoritative. Their outputs should be subject to thorough expert validation prior to any operational decision-making. To strengthen the practical reliability of our findings, we conducted consultations with relevant banking professionals and business practitioners, who confirmed that the LLM-generated responses presented in this study are scientifically valid and aligned with actual business practices. Future research may address this limitation by fine-tuning LLMs on domain-specific corpora or integrating them with formal rule-based systems to ensure alignment with financial compliance standards.

4.4. Discussion

The E-Heuristic Miner algorithm’s flexibility in embedding domain-specific business rules ensures broad adaptability across diverse banking processes. Banks with varying SOPs and risk tolerance levels can readily tailor the algorithm to their specific operational contexts without compromising interpretability, thereby addressing the critical auditability and transparency requirements prevalent in the financial sector.

Although the proposed E-Heuristic Miner algorithm demonstrates promising performance in detecting process anomalies, its practical deployment within banking institutions involves several implementation challenges and regulatory considerations. Considering implementation challenges, integrating process mining tools into existing banking IT infrastructures requires consistent and structured event logs accessible across multiple departments. In practice, achieving this consistency can be hindered by data fragmentation, legacy system incompatibilities, and stringent data privacy regulations that limit the availability and sharing of operational data. From a regulatory perspective, the proposed method aligns closely with contemporary regulatory expectations, emphasizing process-level transparency and rigorous internal control frameworks, as stipulated under Basel III and other domestic supervisory guidelines. By explicitly highlighting deviations from SOPs, our method strengthens a bank’s first line of defense (operational management controls) and facilitates monitoring responsibilities assigned to the second line (compliance oversight). This clear alignment enhances the practicality and acceptability of our approach within regulated financial institutions.

However, for anomaly detection results to be effectively operationalized, they must be interpretable for compliance teams and internal auditors who typically lack specialized technical knowledge. The rule-based structure of the proposed E-Heuristic Miner naturally supports intuitive visualizations of non-compliant paths, allowing compliance personnel to quickly identify, interpret, and investigate process deviations. This visualization capability directly aids internal audit functions by prioritizing critical compliance issues for immediate follow-up. Moreover, LLMs significantly enhance the interpretability and practical usability of anomaly detection outputs; thus, anomaly detection transitions from passive reporting to active compliance and operational support, driving meaningful process improvements.

5. Conclusions

This study proposes an enhanced process mining algorithm, E-Heuristic Miner, that integrates domain-specific knowledge derived from the standard operating procedures of commercial banks to facilitate process anomaly detection. By incorporating a follow-relationship matrix derived from banking SOPs into a process mining algorithm, the E-Heuristic Miner preserves critical low-frequency behavior that traditional frequency-based miners often overlook. It explicitly flags any observed activity transitions that violate SOP-defined rules as deviation paths, thereby significantly improving the precision of anomaly detection compared with existing discovery techniques. We validated the effectiveness of the E-Heuristic Miner through empirical analysis. We utilized event logs from a commercial bank’s corporate account-opening business for analysis. The results demonstrated that the E-Heuristic Miner algorithm significantly outperforms traditional machine learning methods in detecting process deviations and process anomalies. E-Heuristic Miner effectively incorporates semantic understanding and domain knowledge and reduces compliance risks, addressing a key limitation of earlier approaches.

The practical implication of E-Heuristic Miner is its improved interpretability and accuracy in detecting compliance violations and irregular process paths for banking institutions that would otherwise remain hidden. The identified process anomalies highlight specific procedural breakdowns and inefficiencies, guiding managers and auditors to address these issues proactively and optimize process flows for better operational compliance and efficiency. In this way, the E-Heuristic Miner is a valuable tool for proactive anomaly detection and continuous improvement in real-world, compliance-driven financial service scenarios.

Moreover, this study explores the potential of LLMs for post hoc analysis and explanations of process anomalies. By coupling E-Heuristic Miner’s outputs with LLM-generated natural language analysis, we transform raw anomaly detection results into meaningful narratives and actionable recommendations. This helps stakeholders readily understand the root causes of detected anomalies and receive suggestions for remediation or process enhancement without deep technical expertise.

Our work has several limitations. First, the event logs used in this study contained basic information such as caseID, timestamps, and activities. Future research should enhance event logs by incorporating additional resource information to enable a deeper analysis of the relationship between control flows and organizational structures. Second, although combining the E-Heuristic Miner algorithm with domain knowledge enhances process anomaly detection, it still lacks the ability to model complex causal relationships and graph-based structures. Future research could integrate Graph Neural Networks (GNNs) or causal inference methods to enhance the precision and interpretability of process anomaly detection. Third, the privacy of domain knowledge restricts their extensive application within LLMs. Future research should explore the development of secure, bank-specific LLMs tailored for sensitive financial contexts.