Glossary
All terms defined as used within this textbook. Cross-references point to related glossary entries. Chapter of first introduction is noted in italics at the end of each entry.
A
Accuracy (model) The proportion of correct predictions made by a classification model out of all predictions made. In compliance contexts, accuracy alone is insufficient as a performance metric because class imbalance (e.g., very few actual fraud cases) can produce deceptively high accuracy figures even for poor models. See also: False positive rate; True positive rate; Precision-recall. Ch. 4
Adverse action notice A legally required written communication informing a consumer or business applicant that credit, insurance, employment, or another benefit has been denied, reduced, or terminated based on information in their file, and specifying the principal reasons for that decision. Under the Equal Credit Opportunity Act and Fair Credit Reporting Act, adverse action notices are mandatory and must cite up to four specific reasons. See also: Equal Credit Opportunity Act; Right to explanation; Automated decision-making. Ch. 15
Adverse media screening The automated process of searching publicly available news sources, court records, regulatory enforcement actions, and online databases to identify negative information about individuals or entities during onboarding or ongoing monitoring. Advanced systems use NLP to classify the relevance and severity of adverse media hits and reduce analyst review burden. See also: Customer due diligence; Enhanced due diligence; NLP. Ch. 10
Agent-based monitoring A surveillance architecture in which semi-autonomous software agents are deployed to observe, analyze, and report on specific segments of trading activity, workflow, or data streams without continuous human direction. Each agent can apply specialized logic to its domain, with results aggregated for holistic oversight. See also: Surveillance (trade); Monitoring (ongoing). Ch. 19
Alert fatigue The desensitization of compliance analysts to alerts when alert volumes are excessively high and the majority of alerts turn out to be false positives. Alert fatigue increases the risk that genuine suspicious activity will be missed and is a key driver of investment in AI-based alert prioritization tools. See also: False positive; Transaction monitoring; False positive rate. Ch. 7
Algorithm A defined set of rules, instructions, or statistical operations that a computer follows to accomplish a task, classify an input, or produce an output. In RegTech, algorithms range from simple rule-based thresholds to complex machine learning models. The term is often used colloquially to refer to any automated decision-making system. See also: Machine learning; Automated decision-making; Rule-based system. Ch. 4
Algorithmic accountability The principle that organizations deploying algorithmic systems for consequential decisions must be able to explain, justify, audit, and if necessary correct the outputs of those systems. Algorithmic accountability is a core concept of the EU AI Act, GDPR, and US fair lending law. See also: Explainable AI; EU AI Act; Automated decision-making. Ch. 30
Algorithmic fairness A set of mathematical and ethical criteria for evaluating whether an automated decision-making system produces outcomes that are equitable across demographic or protected groups. Multiple fairness definitions exist and can be mutually incompatible, requiring practitioners to make principled trade-off decisions. See also: Disparate impact; Equal Credit Opportunity Act; Bias (model). Ch. 29
Algorithmic trading The use of computer programs to execute trades automatically according to pre-defined strategies, parameters, or signals, without continuous human intervention at the point of order submission. MiFID II defines algorithmic trading with specific technical criteria to determine which systems require regulatory approval and ongoing controls. See also: Kill switch; Pre-trade controls; High-frequency trading; MiFID II. Ch. 21
AML (Anti-Money Laundering) The body of laws, regulations, policies, and operational procedures designed to prevent criminals from disguising the proceeds of illegal activity as legitimate funds. AML programs typically include customer due diligence, transaction monitoring, suspicious activity reporting, and record retention requirements. See also: Transaction monitoring; SAR; KYC; FATF; Money laundering. Ch. 7
Anomaly detection The identification of data points, patterns, or behaviors that deviate significantly from expected norms or baseline distributions. In compliance, anomaly detection is used to surface unusual transactions, trading patterns, or user behaviors that may indicate financial crime or market abuse. See also: Isolation Forest; Machine learning; Unsupervised learning. Ch. 4
API (Application Programming Interface) A defined set of protocols, data formats, and communication rules that allows different software applications to exchange data and invoke each other's functions. In RegTech, APIs underpin real-time data sharing, external data enrichment (e.g., sanctions list lookups), and regulator-facing reporting pipelines. See also: Open Finance; RegTech; Regulatory reporting. Ch. 4
Approved Publication Arrangement (APA) A regulated service provider authorized under MiFID II and MiFIR to publish post-trade transparency data (trade reports) on behalf of investment firms. APAs are one of three types of Data Reporting Services Providers (DRSPs) alongside ARMs and CTPs. See also: MiFID II; MiFIR; Post-trade transparency. Ch. 20
Approved Reporting Mechanism (ARM) A regulated entity authorized under MiFID II and MiFIR to submit transaction reports to competent authorities on behalf of investment firms. Investment firms that cannot submit directly to the regulator must use an ARM. See also: MiFID II; MiFIR; Regulatory reporting. Ch. 13
Artificial intelligence (AI) The broad field of computer science concerned with building systems that perform tasks normally requiring human intelligence, including reasoning, learning, pattern recognition, language understanding, and decision-making. In financial services and RegTech, AI encompasses machine learning, deep learning, NLP, and related techniques applied to compliance automation and risk management. See also: Machine learning; NLP; Deep learning; Explainable AI. Ch. 4
Audit log A sequential, time-stamped record of system events, user actions, and data changes within a software application or IT environment, designed to support post-event investigation and regulatory inquiry. Audit logs must typically be tamper-evident and retained for regulatory-specified periods. See also: Audit trail; Record retention; Data governance. Ch. 5
Audit trail The complete documented history of actions taken, decisions made, data accessed, and changes applied within a process or system, providing a verifiable reconstruction of events. Regulators require audit trails for transaction monitoring, model decisions, and supervisory approvals to demonstrate compliance with obligations. See also: Audit log; Data lineage; Record retention. Ch. 5
Automated decision-making Any process in which a decision affecting an individual or entity is made solely or substantially by algorithmic means without meaningful human judgment applied to that specific decision. GDPR Article 22 grants data subjects specific rights in relation to solely automated decisions that have legal or similarly significant effects. See also: Human-in-the-loop; Right to explanation; GDPR; Explainable AI. Ch. 34
Automation bias The tendency of human decision-makers to defer excessively or uncritically to automated system outputs, even when those outputs are incorrect or when manual review would reveal the error. Automation bias is a particular risk in compliance workflows where analysts review model-generated alerts and may rubber-stamp flagged cases. See also: Human-in-the-loop; Automated decision-making. Ch. 37
B
Back-testing The process of evaluating a model or trading strategy by applying it to historical data to assess how well it would have performed in the past. In model risk management, back-testing is a required component of validation for credit risk, market risk, and fraud detection models. See also: Model validation; Model risk management; SR 11-7. Ch. 15
Basel III/IV The suite of international capital and liquidity standards developed by the Basel Committee on Banking Supervision (BCBS) following the 2008 financial crisis. Basel III introduced higher capital requirements, a leverage ratio, and liquidity coverage requirements. Basel IV (formally, the "finalisation of Basel III") introduced the revised Standardised Approach for credit risk, the Fundamental Review of the Trading Book (FRTB), and an output floor. See also: Capital adequacy; Operational risk; Market risk; FRTB. Ch. 14
Behavioral biometrics The analysis of patterns in how users interact with devices — including typing rhythm, mouse movement, and touchscreen pressure — to authenticate identity or detect account takeover fraud without requiring explicit action from the user. See also: KYC; Fraud detection; Machine learning. Ch. 6
Beneficial ownership The natural person(s) who ultimately owns or controls a legal entity — such as a company, trust, or partnership — either directly through shareholding or indirectly through chains of ownership or control. Financial institutions are obligated to identify and verify beneficial owners as part of customer due diligence. See also: Customer due diligence; UBO registry; Corporate Transparency Act. Ch. 9
Best execution The regulatory obligation, under MiFID II and comparable frameworks, for investment firms to take all sufficient steps to obtain the best possible result for clients when executing orders, considering factors including price, costs, speed, likelihood of execution and settlement. See also: MiFID II; Transaction reporting; Pre-trade transparency. Ch. 18
Bias (model) Systematic error in model predictions that results in consistently unfair or inaccurate outcomes for specific subgroups. Bias can originate in training data (historical discrimination), feature selection (use of proxies for protected characteristics), or model design choices. Distinct from "bias" in the statistical sense of mean prediction error. See also: Algorithmic fairness; Disparate impact; Equal Credit Opportunity Act. Ch. 29
Big data Datasets characterized by volume (scale beyond traditional processing capacity), velocity (high speed of generation or required processing), variety (structured, unstructured, and semi-structured formats), and veracity (variable data quality) that require specialized architectures and tools to store, process, and analyze. In RegTech, big data underpins transaction monitoring, surveillance, and regulatory reporting at scale. See also: Data lake; Data architecture; Machine learning. Ch. 5
Black-box model A machine learning or algorithmic model whose internal reasoning process is not directly interpretable by human observers — typically referring to ensemble methods, deep neural networks, or gradient boosting models where the relationship between inputs and outputs cannot be described in simple rules. Regulators increasingly require that black-box models used in consequential decisions be accompanied by explainability tools. See also: Explainable AI; SHAP; Interpretability; XAI. Ch. 26
Blockchain A distributed ledger technology in which data is stored in linked, cryptographically secured blocks that are shared across a peer-to-peer network, making records highly resistant to alteration. In compliance, blockchain is explored for immutable audit trails, trade settlement, and Travel Rule compliance in crypto asset transfers. See also: Distributed ledger technology; Smart contract; Travel Rule; Immutability. Ch. 24
Business continuity plan (BCP) A documented framework and set of procedures for ensuring that critical business functions can continue operating — or be restored within defined timeframes — following a disruption such as a system failure, cyber attack, natural disaster, or other operational incident. Regulators require BCPs for financial institutions and, under DORA, for critical ICT third-party providers. See also: Operational resilience; DORA; Impact tolerance; Recovery time objective. Ch. 33
C
Calibration (model) The degree to which a model's predicted probability scores correspond to actual observed outcome frequencies. A well-calibrated credit risk model that assigns a 10% probability of default should observe default in approximately 10% of such cases. Poor calibration can lead to systematically biased risk decisions even when discriminatory power is adequate. See also: Model validation; Population Stability Index; Model drift. Ch. 15
Capital adequacy The requirement that financial institutions hold sufficient regulatory capital relative to their risk-weighted assets to absorb unexpected losses and protect depositors and the financial system. Capital adequacy frameworks are defined by Basel III/IV and implemented through national regulations. See also: Basel III/IV; Risk-weighted assets; Operational risk. Ch. 14
Case management The workflow and technology infrastructure used to track, investigate, assign, escalate, and resolve individual alerts, suspicious activity findings, or compliance incidents from initial identification through to closure or regulatory reporting. Case management systems integrate alert data, investigation notes, supporting documents, and audit trails. See also: SAR; Transaction monitoring; Audit trail. Ch. 11
CASS (Client Assets Sourcebook) The FCA rulebook chapter in the UK governing how investment firms must handle client money and client assets, including requirements for segregation, reconciliation, and record-keeping. CASS compliance technology manages daily reconciliations and breach identification. Ch. 2
Categorical data Data that takes on values from a defined set of categories rather than a continuous numeric range — for example, account type (savings, current, business), country of residence, or industry code. Categorical data requires specific encoding techniques before use in most machine learning models. See also: Feature engineering; Machine learning. Ch. 4
Central Bank Digital Currency (CBDC) A digital form of a country's fiat currency issued and backed directly by the central bank, as distinct from commercial bank deposits or private cryptocurrencies. CBDCs raise novel regulatory questions around privacy, financial inclusion, programmability, and AML compliance. See also: Blockchain; Digital regulation; Travel Rule. Ch. 24
Change management The structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state when implementing new systems, processes, or regulatory requirements. In RegTech programs, effective change management is critical because compliance automation often displaces familiar manual workflows and requires new skills from analysts. See also: User acceptance testing; RegTech; Compliance maturity. Ch. 37
Challenger model A model under active development and testing that is evaluated against an existing production ("champion") model to determine whether it produces superior performance. Challenger models are a key tool in ongoing model risk management and prevent performance stagnation. See also: Model validation; Model risk management; Model drift. Ch. 25
Churn prediction A machine learning application that estimates the probability that a customer will terminate their relationship with an institution within a specified future timeframe. While not primarily a compliance function, churn models are subject to fairness and model governance requirements when they influence the terms of service offered. See also: Machine learning; Algorithmic fairness. Ch. 4
Compliance-by-design The philosophy and practice of building regulatory compliance requirements directly into the architecture, processes, and technical design of products, systems, or organizations from inception, rather than adding compliance controls as an afterthought. Analogous to "privacy by design." See also: Ethics by design; Privacy by design; GDPR. Ch. 35
Compliance maturity A framework for assessing how advanced an organization's compliance capabilities are across dimensions such as process formalization, technology adoption, data quality, talent, governance, and regulatory engagement. Maturity models typically define progressive levels from ad hoc through managed, defined, measured, and optimized. See also: RegTech; Change management; Model governance. Ch. 35
Concentration risk The risk that an excessive proportion of a portfolio, counterparty exposure, or operational dependency is concentrated in a single entity, sector, geography, or infrastructure provider, amplifying potential losses or disruption from a single adverse event. In third-party risk, cloud provider concentration is a primary regulatory concern. See also: Vendor concentration risk; Operational resilience; DORA. Ch. 27
Conformity assessment The formal process under the EU AI Act by which high-risk AI systems are evaluated to determine whether they meet the mandatory requirements for accuracy, robustness, transparency, data governance, and human oversight before being placed on the market. Some high-risk systems require third-party conformity assessment. See also: EU AI Act; High-risk AI; Model documentation. Ch. 30
Consent (data) Under GDPR and comparable privacy regimes, a lawful basis for processing personal data whereby the data subject has given a clear, specific, and freely given agreement to the processing for specified purposes. In financial services, consent is often not the primary lawful basis because processing is required for legal or contractual reasons. See also: GDPR; Data minimization; Contextual integrity. Ch. 17
Contextual integrity A philosophical framework for data privacy, developed by Helen Nissenbaum, holding that information flows are appropriate when they match the norms of the social context in which information was originally shared. Applied to RegTech, it cautions against repurposing compliance-collected data for uses that violate the implicit expectations under which it was provided. See also: GDPR; Data minimization; Data portability. Ch. 17
Counterfactual explanation A form of model explanation that describes the smallest change to an input that would have resulted in a different model output — for example, "Your loan application was declined; if your income had been $5,000 higher, it would have been approved." Counterfactual explanations are actionable and comprehensible to non-technical stakeholders. See also: Explainable AI; SHAP; Right to explanation; Adverse action notice. Ch. 26
Corporate Transparency Act (CTA) A 2021 US federal law requiring most US corporations, LLCs, and similar entities to report beneficial ownership information to FinCEN, creating a national registry aimed at combating shell-company-enabled financial crime. See also: Beneficial ownership; FinCEN; KYC. Ch. 9
Credit risk The risk that a borrower or counterparty will fail to meet its contractual obligations, resulting in financial loss for the creditor. Credit risk models are used to estimate probability of default, loss given default, and exposure at default, and are subject to extensive model risk management requirements. See also: Model risk management; SR 11-7; Basel III/IV. Ch. 15
Critical Third-Party Provider (CTPP) Under the UK's operational resilience framework, a designation applied to service providers whose failure or disruption could pose systemic risk to financial stability. Designated CTPPs are subject to direct supervisory oversight by the Bank of England, PRA, and FCA. See also: ICT third-party provider; Vendor concentration risk; Operational resilience; DORA. Ch. 33
Customer due diligence (CDD) The set of identity verification, risk assessment, and ongoing monitoring procedures that financial institutions must apply to their customers under AML legislation. CDD requirements vary by customer risk profile, with simplified due diligence (SDD) for lower-risk customers and enhanced due diligence (EDD) for higher-risk customers. See also: KYC; Enhanced due diligence; Simplified due diligence; Customer risk rating. Ch. 6
Customer Identification Program (CIP) A component of AML compliance programs in the US, required by the Bank Secrecy Act and USA PATRIOT Act, specifying minimum procedures for verifying the identity of customers at account opening, including collection and verification of name, date of birth, address, and identification number. See also: KYC; Customer due diligence; AML. Ch. 6
Customer risk rating A composite score or classification assigned to a customer that reflects the institution's assessment of the likelihood that the customer may be involved in financial crime or present regulatory risk. Risk ratings drive the intensity of due diligence and monitoring applied to each customer. See also: Customer due diligence; Risk-based approach; Enhanced due diligence. Ch. 10
D
Dark pool A private trading venue or mechanism that allows large institutional investors to execute significant trades without displaying their intentions to the public market, thereby minimizing market impact. MiFID II regulates dark pools through volume caps and waiver requirements to limit their impact on price discovery. See also: Pre-trade transparency; Post-trade transparency; MiFID II. Ch. 20
Data governance The framework of policies, standards, roles, responsibilities, processes, and technologies that an organization uses to ensure that data assets are managed consistently, are of sufficient quality, are protected appropriately, and are used in compliance with legal and regulatory requirements. See also: Master data management; Data lineage; Data quality. Ch. 5
Data lake A storage architecture that holds large volumes of raw, unstructured, or semi-structured data in its native format until it is needed for analysis, contrasted with a data warehouse which stores pre-processed and structured data. Data lakes support flexible analytics but require strong data governance to prevent becoming "data swamps." See also: Big data; Data governance; Data lineage. Ch. 5
Data lineage The documented end-to-end journey of data from its origin through all transformations, movements, and uses to its final destination, enabling organizations to trace the provenance and transformations applied to any specific data element. Regulatory reporting quality requires clear data lineage to support attestation and error investigation. See also: Audit trail; Data governance; Master data management. Ch. 5
Data minimization The GDPR principle that personal data should only be collected, processed, and retained to the extent strictly necessary for the specified purpose for which it was collected. Data minimization is architecturally challenging in AML contexts, where broad data collection is often justified on financial crime prevention grounds. See also: GDPR; Contextual integrity; Data portability. Ch. 17
Data portability The right of data subjects under GDPR Article 20 to receive their personal data in a structured, commonly used, machine-readable format and to have that data transmitted directly to another controller. In open finance contexts, data portability is an enabler of switching and competition. See also: GDPR; Open Finance; API. Ch. 17
Data quality The degree to which data is accurate, complete, consistent, timely, and fit for its intended use. Poor data quality is the most common cause of regulatory reporting failures, model performance degradation, and screening false positives/negatives. See also: Data governance; Data lineage; Master data management. Ch. 5
Data residency The requirement, often imposed by national law or regulation, that certain categories of data — particularly personal data or financial data — be stored and processed within specified geographic boundaries. Cloud deployments must be designed to comply with data residency requirements across all relevant jurisdictions. See also: Cloud compliance; GDPR; Data sovereignty. Ch. 27
Data sovereignty The concept that data is subject to the laws and governance structures of the country in which it is located or from which it originates, with implications for cross-border data transfer, regulatory access, and government surveillance. See also: Data residency; GDPR; Cloud compliance. Ch. 27
Decision tree A supervised machine learning algorithm that partitions a dataset into subgroups using a series of binary rules based on feature values, producing a tree-like structure where each leaf node represents a predicted outcome. Decision trees are inherently interpretable, which makes them popular in regulated settings despite being outperformed by ensemble methods. See also: Random forest; Gradient boosting; Interpretability; Machine learning. Ch. 4
Deep learning A subfield of machine learning using neural networks with many layers (hence "deep") that can automatically learn hierarchical feature representations from raw data. Deep learning excels at unstructured data tasks such as image recognition, speech processing, and natural language understanding. In compliance, it is used in document verification, fraud detection, and communications surveillance. See also: Machine learning; NLP; Neural network. Ch. 4
DeFi (Decentralized Finance) Financial services and applications built on public blockchain infrastructure that operate through smart contracts without traditional financial intermediaries such as banks, brokers, or exchanges. DeFi presents novel AML and sanctions compliance challenges because pseudonymous users interact directly with code rather than regulated entities. See also: Blockchain; Smart contract; Travel Rule; AML. Ch. 24
Demographic parity A fairness metric requiring that a model's positive prediction rate (e.g., loan approval, low risk classification) is equal across protected demographic groups. Achieving demographic parity may conflict with other fairness criteria and with accuracy maximization. See also: Algorithmic fairness; Disparate impact; Equal Credit Opportunity Act. Ch. 29
Digital operational resilience The ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring that either directly or indirectly it can withstand all types of ICT-related disruptions and threats. This concept is codified in the EU's Digital Operational Resilience Act (DORA). See also: DORA; Operational resilience; Business continuity plan; ICT risk management. Ch. 33
Digital regulation The use of technology — including machine-readable regulatory text, APIs, and automated reporting — by regulatory authorities to formalize, disseminate, and enforce regulatory requirements. Digital regulation represents a shift from text-based rules that humans must interpret to machine-executable specifications. See also: SupTech; XBRL; Policy-as-code; Regulatory reporting. Ch. 39
Disparate impact A legal theory in US anti-discrimination law whereby a facially neutral policy or practice has a disproportionately adverse effect on members of a protected class, even without discriminatory intent. Disparate impact analysis is central to fair lending review of credit models. See also: Equal Credit Opportunity Act; Algorithmic fairness; Adverse action notice. Ch. 29
Distributed ledger technology (DLT) A broad category of technologies in which a shared record of transactions or data states is maintained simultaneously across multiple nodes without a central administrator, with consensus mechanisms ensuring agreement. Blockchain is the best-known form of DLT. See also: Blockchain; Smart contract. Ch. 24
DORA (Digital Operational Resilience Act) An EU regulation (Regulation 2022/2554) that establishes a comprehensive framework for ICT risk management, incident reporting, digital operational resilience testing, and third-party ICT risk oversight for financial entities operating in the EU. DORA became fully applicable in January 2025. See also: Digital operational resilience; ICT risk management; TLPT; Critical Third-Party Provider; Operational resilience. Ch. 33
Drift (model) The degradation in model performance over time as the statistical properties of the data the model encounters in production diverge from the data on which it was trained. Drift can be caused by changes in customer behavior, market conditions, fraud patterns, or data pipeline changes. See also: Model drift; Population Stability Index; Model validation; Calibration. Ch. 25
E
ECL (Expected Credit Loss) A forward-looking measure of credit impairment required under IFRS 9 and US GAAP ASC 326, replacing the "incurred loss" model with probability-weighted estimates of credit losses over the life of a financial instrument. ECL modelling requires scenario analysis and economic forecasting inputs. See also: Credit risk; Model risk management; Basel III/IV. Ch. 15
eIDV (Electronic Identity Verification) The automated process of verifying an individual's identity using electronic data sources — such as credit bureau data, government records, biometric checks, or document optical character recognition — rather than manual inspection of physical documents. eIDV is a core component of digital KYC onboarding workflows. See also: KYC; Customer due diligence; Biometric verification. Ch. 6
Enhanced due diligence (EDD) A heightened level of customer due diligence applied to customers or relationships assessed as presenting elevated money laundering or terrorism financing risk. EDD typically includes obtaining additional information about the customer's source of funds and wealth, enhanced ongoing monitoring, and senior management approval for the relationship. See also: Customer due diligence; PEP; Customer risk rating. Ch. 10
Ensemble model A machine learning approach that combines the predictions of multiple individual models to produce a final output, typically achieving better predictive accuracy and robustness than any single constituent model. Common ensemble methods include random forests, gradient boosting, and stacking. See also: Random forest; Gradient boosting; Black-box model. Ch. 4
Entity resolution The computational process of determining whether multiple records across different datasets refer to the same real-world entity — for example, matching "J. Smith, London" with "Jonathan Smith, UK" across two databases. Entity resolution is critical for sanctions screening, beneficial ownership analysis, and KYC. See also: Fuzzy matching; Named Entity Recognition; Beneficial ownership; Sanctions screening. Ch. 8
Equal Credit Opportunity Act (ECOA) A US federal law prohibiting creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, age, or receipt of income from public assistance. ECOA requires adverse action notices that specify the reasons for credit denial. See also: Adverse action notice; Disparate impact; Algorithmic fairness; Right to explanation. Ch. 15
Ethics by design The principle and practice of embedding ethical considerations — such as fairness, transparency, accountability, and respect for human dignity — into the design of technology systems from the outset, rather than addressing ethical issues after deployment. See also: Compliance-by-design; Privacy by design; Algorithmic fairness. Ch. 34
Explainability The quality of a model or automated system whereby its outputs can be communicated to stakeholders in terms they can understand. Explainability is distinct from interpretability: a system may be explainable through post-hoc techniques without being intrinsically interpretable. See also: Explainable AI; Interpretability; SHAP; Counterfactual explanation. Ch. 26
Explainable AI (XAI) The field of artificial intelligence concerned with developing methods and tools that allow the predictions, decisions, and behaviors of AI systems to be understood and explained by humans — including developers, compliance teams, customers, and regulators. Key XAI techniques include SHAP, LIME, and counterfactual explanations. See also: SHAP; Interpretability; Black-box model; EU AI Act; Right to explanation. Ch. 26
Extraterritoriality The application of a jurisdiction's laws or regulations to conduct, entities, or transactions that occur outside its geographic borders. Examples include OFAC sanctions applying to non-US firms that transact in US dollars, GDPR applying to organizations worldwide that process EU residents' data, and DORA applying to non-EU ICT providers serving EU financial entities. See also: GDPR; OFAC; DORA; Passporting. Ch. 2
F
Fair lending The body of US law and supervisory guidance requiring lenders to provide credit equally and without discrimination on prohibited bases. Fair lending examinations assess whether institutions' underwriting models, pricing, and servicing practices produce disparate treatment or disparate impact. See also: Equal Credit Opportunity Act; Disparate impact; Algorithmic fairness. Ch. 29
False negative A case in which a model or screening system fails to flag a genuinely suspicious or positive instance — for example, a transaction monitoring system that does not alert on a genuine money laundering transaction. In compliance contexts, false negatives represent direct regulatory and financial crime risk. See also: False positive; True positive rate; Transaction monitoring. Ch. 7
False positive A case in which a model or screening system incorrectly flags a benign instance as suspicious or positive — for example, a sanctions screening system alerting on a legitimate customer whose name resembles a sanctioned individual. High false positive rates drive alert fatigue and operational cost. See also: False negative; False positive rate; Alert fatigue; Sanctions screening. Ch. 7
False positive rate The proportion of genuinely negative (benign) cases that are incorrectly flagged by a model or screening system. A high false positive rate is the primary driver of operational burden in transaction monitoring and sanctions screening. Reducing false positives without increasing false negatives requires careful model calibration. See also: False positive; True positive rate; Calibration. Ch. 7
FATF (Financial Action Task Force) The inter-governmental body that sets global standards for anti-money laundering, counter-terrorism financing, and counter-proliferation financing. FATF's 40 Recommendations form the basis for AML/CFT legislation in member jurisdictions. FATF also conducts mutual evaluations of member countries' compliance. See also: AML; KYC; Suspicious Activity Report; Risk-based approach. Ch. 7
Feature engineering The process of selecting, transforming, or creating input variables (features) from raw data to improve a machine learning model's predictive performance. In AML, feature engineering might include deriving transaction velocity metrics, peer group comparisons, or time-of-day patterns from raw transaction data. See also: Machine learning; Categorical data; Model validation. Ch. 4
Feature importance A measure of how much each input variable contributes to a model's predictions, either globally (across all predictions) or locally (for a specific prediction). Feature importance scores help compliance teams understand what a model is "looking at" and support explainability requirements. See also: SHAP; Explainable AI; Interpretability; Weighting (model). Ch. 26
FinCEN (Financial Crimes Enforcement Network) The US Treasury bureau responsible for administering the Bank Secrecy Act, collecting and analyzing financial intelligence, and coordinating AML enforcement with law enforcement agencies. Financial institutions file SARs and Currency Transaction Reports (CTRs) with FinCEN. See also: SAR; AML; Corporate Transparency Act. Ch. 7
FINRA (Financial Industry Regulatory Authority) A self-regulatory organization (SRO) in the US that regulates broker-dealers, exchange markets, and related securities activities. FINRA's surveillance and examination programs include trade surveillance, suitability, and AML compliance for member firms. See also: Surveillance (trade); Market surveillance; MAR. Ch. 19
Fraud detection The set of processes, models, and controls used to identify transactions, accounts, or behaviors that are likely to be fraudulent. Modern fraud detection employs supervised and unsupervised machine learning, behavioral biometrics, and real-time scoring to minimize both fraud losses and customer friction. See also: Machine learning; Anomaly detection; False positive; Transaction monitoring. Ch. 25
FRTB (Fundamental Review of the Trading Book) A Basel Committee reform (finalized 2019) that overhauled the regulatory capital requirements for banks' trading book exposures, introducing a new standardized approach and revised internal model approach with enhanced risk sensitivity and more stringent desk-level model approval requirements. See also: Basel III/IV; Market risk; Model risk management. Ch. 14
FRVT (Face Recognition Vendor Testing) The NIST program that evaluates the accuracy, bias, and performance characteristics of commercial face recognition algorithms across demographic groups. FRVT results are widely cited in regulatory discussions about the use of facial recognition in KYC and access control. See also: KYC; Algorithmic fairness; Bias (model). Ch. 6
Fuzzy matching An algorithm that identifies approximate string similarity between names, addresses, or identifiers rather than requiring exact character-for-character matches. Fuzzy matching is essential in sanctions screening because sanctioned individuals' names may be transliterated, misspelled, or abbreviated differently across data sources. See also: Sanctions screening; Entity resolution; Named Entity Recognition. Ch. 8
G
GDPR (General Data Protection Regulation) The EU's primary data protection law (Regulation 2016/679), which establishes rights for individuals over their personal data and obligations for organizations that process it, including principles of lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. GDPR has extraterritorial reach. See also: Data minimization; Data portability; Contextual integrity; Right to explanation; Privacy by design. Ch. 17
GLEIF (Global Legal Entity Identifier Foundation) The not-for-profit organization that administers the global LEI system, overseeing the network of Local Operating Units (LOUs) that issue and maintain LEIs. GLEIF also maintains the Global LEI Index, a freely accessible database of all issued LEIs and their related reference data. See also: LEI; Regulatory reporting; MiFIR. Ch. 13
Golden source A single authoritative data store or dataset that is designated as the master reference for a specific data element, with all downstream systems expected to consume data from it to ensure consistency. Establishing golden sources for legal entity, customer, and product data is a prerequisite for accurate regulatory reporting. See also: Master data management; Data governance; Data lineage. Ch. 5
Governance (model) The framework of policies, processes, roles, and controls that an organization puts in place to oversee the entire lifecycle of its models — from development and validation through deployment, monitoring, and eventual retirement. See also: Model risk management; SR 11-7; EU AI Act; Model documentation. Ch. 26
Gradient boosting An ensemble machine learning technique that builds models sequentially, where each new model corrects the errors of its predecessors, optimizing a specified loss function in a gradient descent framework. Gradient boosting algorithms (including XGBoost and LightGBM) are frequently used in fraud detection and credit risk scoring due to their high predictive accuracy. See also: Ensemble model; Random forest; Black-box model. Ch. 4
Graph analytics The use of graph data structures and algorithms — representing entities as nodes and relationships as edges — to analyze networks of connections and detect patterns not visible in tabular data. In financial crime, graph analytics maps ownership structures, transaction networks, and communication patterns to surface complex schemes. See also: Knowledge graph; Beneficial ownership; Network analysis; Money laundering. Ch. 4
H
Hallucination (LLM) The phenomenon whereby a large language model generates plausible-sounding but factually incorrect, fabricated, or unsupported statements as if they were accurate. In RegTech, LLM hallucination poses significant risk in applications such as regulatory interpretation, SAR narrative drafting, and compliance guidance, where factual accuracy is critical. See also: LLM; NLP; Explainable AI. Ch. 23
High-frequency trading (HFT) A form of algorithmic trading characterized by extremely high order submission and cancellation rates, very short holding periods (often milliseconds), and the use of proprietary technology for low-latency market access. HFT is subject to additional regulatory obligations under MiFID II including specific organizational and testing requirements. See also: Algorithmic trading; Kill switch; Pre-trade controls; Spoofing. Ch. 21
High-risk AI A category established by the EU AI Act for AI systems used in applications where errors or biases could have serious consequences for health, safety, or fundamental rights. In financial services, high-risk AI applications include AI used in credit scoring, access to financial services, insurance, and employment decisions. Such systems must meet requirements for data governance, transparency, accuracy, human oversight, and conformity assessment. See also: EU AI Act; Explainable AI; Model documentation; Conformity assessment. Ch. 30
Human-in-the-loop A design principle requiring that a human reviewer exercises genuine judgment at one or more stages of an automated decision-making process, particularly for high-stakes or high-uncertainty outcomes. Regulators increasingly require human-in-the-loop as a safeguard against automation bias and algorithmic error in consequential decisions. See also: Automated decision-making; Automation bias; EU AI Act; Right to explanation. Ch. 34
Hypercare An intensive post-go-live support period following a system implementation, during which the implementation team provides elevated monitoring, rapid response to issues, and hands-on assistance to operational teams. Hypercare is a best practice in RegTech implementations to ensure stable transition to business-as-usual operations. See also: Change management; User acceptance testing. Ch. 36
I
ICT risk management The practices and controls an organization uses to identify, assess, monitor, and mitigate risks arising from its information and communications technology infrastructure, including hardware, software, data, and third-party services. Under DORA, EU financial entities must maintain a comprehensive ICT risk management framework. See also: DORA; Operational resilience; ICT third-party provider. Ch. 33
ICT third-party provider Any service provider that delivers ICT services to a financial entity, including cloud services, software providers, data services, and managed services. Under DORA, financial entities must conduct enhanced due diligence on, and maintain contractual controls over, ICT third-party providers, with critical providers subject to direct regulatory oversight. See also: DORA; Critical Third-Party Provider; Vendor concentration risk. Ch. 33
IFRS 9 The International Financial Reporting Standard governing the recognition, measurement, impairment, and derecognition of financial instruments. IFRS 9's expected credit loss model requires forward-looking probability-weighted impairment provisions, demanding sophisticated credit risk models and scenario analysis capabilities. See also: ECL; Credit risk; Model risk management. Ch. 15
Immutability The property of a data record or transaction whereby it cannot be altered after it has been written. Blockchain's immutability is its primary value proposition for audit trail applications, although immutability creates challenges for data subjects exercising GDPR erasure rights. See also: Blockchain; Audit trail; GDPR. Ch. 24
Impact tolerance The maximum tolerable level of disruption to a critical business service, as defined by the service's importance to customers and the wider financial system. Impact tolerances — expressed in terms of duration, volume, or customer harm — are a central concept in the Bank of England's operational resilience framework and inform business continuity and recovery planning. See also: Operational resilience; Business continuity plan; Recovery time objective. Ch. 33
Information barrier A physical, logical, or procedural control — commonly called a "Chinese wall" — that prevents the sharing of material non-public information between separate business units within a financial institution, such as the investment banking and trading desks, to prevent insider dealing. See also: Insider dealing; Surveillance (trade); MAR. Ch. 22
Insider dealing The buying or selling of financial instruments by a person who possesses material non-public information (inside information) that, if made public, would likely have a significant effect on the price of those instruments. Insider dealing is prohibited under MAR in the EU and equivalent legislation in other jurisdictions. See also: MAR; Information barrier; Surveillance (trade). Ch. 19
Interpretability The degree to which a model's internal mechanics — its parameters, logic, and decision pathways — can be directly understood by a human observer without recourse to external explanation tools. Decision trees and linear regression are intrinsically interpretable; deep neural networks are not. Distinct from, though related to, explainability. See also: Explainable AI; Black-box model; Opacity; SHAP. Ch. 26
Isolation Forest An unsupervised machine learning algorithm that detects anomalies by isolating observations through recursive random partitioning, operating on the principle that anomalous points are few and different and therefore more easily isolated. Isolation Forest is used in transaction monitoring and fraud detection for anomaly identification without requiring labeled training data. See also: Anomaly detection; Unsupervised learning; Machine learning. Ch. 4
J
JMLSG (Joint Money Laundering Steering Group) A UK industry body that produces detailed guidance on AML and counter-terrorism financing compliance for the financial services sector, developed with regulatory input. JMLSG guidance is widely used by UK financial institutions as an authoritative interpretation of regulatory obligations. See also: AML; Risk-based approach; Customer due diligence. Ch. 7
Joint probability The probability that two or more events occur simultaneously or in combination. In fraud scoring and behavioral analytics, joint probability assessments combine signals that are individually weak — such as an unusual transaction amount, unusual time, and unusual location — to produce a composite risk score. See also: Machine learning; Fraud detection. Ch. 4
K
Kill switch A mechanism that immediately halts the operation of an algorithmic trading system in an automated or operator-triggered fashion when predefined risk thresholds are breached or abnormal behavior is detected. MiFID II requires investment firms and trading venues to have effective kill switches that can be activated quickly. See also: Algorithmic trading; Pre-trade controls; High-frequency trading. Ch. 21
KYC (Know Your Customer) The set of processes, controls, and technologies that financial institutions use to verify the identity of their customers, assess their risk profile, and maintain up-to-date knowledge of who they are doing business with. KYC is a foundational obligation under AML legislation worldwide and encompasses customer identification, due diligence, and ongoing monitoring. See also: Customer due diligence; AML; Enhanced due diligence; eIDV; Beneficial ownership. Ch. 6
KYC orchestration A technology architecture that sequences, manages, and integrates the multiple verification and data enrichment steps in a KYC process — including identity document verification, database checks, sanctions screening, and PEP screening — through a centralized workflow engine. See also: KYC; API; RegTech. Ch. 6
Knowledge graph A structured knowledge base that represents entities, their attributes, and the relationships between them in a graph format, enabling complex multi-hop queries and inference. In beneficial ownership and AML investigations, knowledge graphs connect entities across disparate data sources to surface hidden networks and control relationships. See also: Graph analytics; Beneficial ownership; Network analysis. Ch. 9
L
Layering (money laundering) The second stage of the money laundering process, in which the proceeds of crime are moved through a complex series of financial transactions designed to obscure the audit trail and distance the funds from their illegal origin. Layering typically involves multiple transfers, currency conversions, and jurisdictions. See also: Money laundering; Smurfing; Transaction monitoring. Ch. 7
LEI (Legal Entity Identifier) A 20-character alphanumeric code that uniquely identifies legal entities participating in financial transactions globally. LEIs are required in regulatory reporting under MiFIR, EMIR, and other regimes, enabling regulators to aggregate exposures and activity across entities. See also: GLEIF; MiFIR; Regulatory reporting. Ch. 13
LIME (Local Interpretable Model-agnostic Explanations) A post-hoc explainability technique that explains individual predictions of any classifier by approximating the model's local behavior with a simpler interpretable model (such as a linear regression) around the specific input. LIME is an alternative to SHAP for generating per-prediction explanations. See also: SHAP; Explainable AI; Counterfactual explanation; Black-box model. Ch. 26
LLM (Large Language Model) A machine learning model trained on massive text corpora using self-supervised objectives, capable of generating, summarizing, translating, classifying, and reasoning over natural language text. LLMs such as GPT-4 are being applied in RegTech for regulatory text analysis, horizon scanning, SAR narrative drafting, and compliance Q&A. See also: NLP; Hallucination; NER; Transfer learning. Ch. 23
Log (audit) See Audit log. Ch. 5
Liveness detection A biometric anti-spoofing technique that determines whether a biometric sample (such as a facial image or fingerprint) is being provided by a live human present at the point of verification, rather than a photograph, video replay, or synthetic representation. Liveness detection is critical for remote KYC to prevent identity fraud. See also: KYC; eIDV; Deep learning. Ch. 6
M
Machine learning A branch of artificial intelligence in which systems learn patterns from data to make predictions or decisions without being explicitly programmed for each specific task. Machine learning encompasses supervised, unsupervised, and reinforcement learning approaches and is foundational to modern RegTech applications in AML, fraud detection, credit risk, and surveillance. See also: Artificial intelligence; Deep learning; Supervised learning; Unsupervised learning. Ch. 4
MAR (Market Abuse Regulation) EU Regulation 596/2014 that prohibits insider dealing, market manipulation, and unlawful disclosure of inside information, and requires firms to implement market abuse detection and reporting obligations including Suspicious Transaction and Order Reports (STORs). See also: Insider dealing; Market manipulation; Surveillance (trade); STOR. Ch. 19
Market manipulation Conduct that artificially influences the price, volume, or supply and demand of a financial instrument through deceptive practices such as spoofing, layering, ramping, painting the tape, or disseminating false information. Market manipulation is prohibited under MAR and equivalent legislation, with technology-enabled detection essential at modern trading speeds. See also: MAR; Spoofing; Layering (trading); Surveillance (trade). Ch. 19
Master data management (MDM) The set of processes, governance, policies, and technologies used to ensure that an organization maintains a single, authoritative, accurate, and consistent version of key business data entities — such as customer, counterparty, product, and account records. MDM is a prerequisite for accurate regulatory reporting and KYC data quality. See also: Golden source; Data governance; Data lineage. Ch. 5
MiFID II (Markets in Financial Instruments Directive II) The EU regulatory framework (Directive 2014/65/EU) governing investment services and activities, trading venues, and market infrastructure. MiFID II introduces requirements for best execution, transaction reporting, product governance, algorithmic trading controls, pre- and post-trade transparency, and investor protection. See also: MiFIR; Best execution; Algorithmic trading; Pre-trade transparency; Post-trade transparency. Ch. 18
MiFIR (Markets in Financial Instruments Regulation) The EU regulation (Regulation 600/2014) accompanying MiFID II that establishes the specific rules for pre- and post-trade transparency, transaction reporting, and the trading obligation for derivatives. Unlike MiFID II, which is a directive requiring national implementation, MiFIR is directly applicable across the EU. See also: MiFID II; Transaction reporting; LEI; Regulatory reporting. Ch. 18
Model documentation The written record describing a model's purpose, scope, theoretical basis, data inputs, development process, assumptions, limitations, validation results, and performance monitoring approach. Comprehensive model documentation is required by SR 11-7 and forms the basis of review by validators, auditors, and regulators. See also: Model risk management; SR 11-7; EU AI Act; Model validation. Ch. 15
Model drift The gradual decline in a deployed model's performance or the change in the statistical distribution of its inputs over time, caused by evolving patterns in the underlying phenomena the model was trained to detect. See also: Drift (model); Calibration; Population Stability Index; Model validation. Ch. 25
Model governance See Governance (model). Ch. 26
Model risk management (MRM) The framework for identifying, assessing, mitigating, and monitoring the risks arising from the use of quantitative models to make decisions, including risks of model error, model misuse, and model limitations being misunderstood. SR 11-7 is the primary US guidance document for MRM in banking. See also: SR 11-7; Model validation; Model documentation; Model drift. Ch. 15
Model validation The set of processes and activities that provide an independent, objective assessment of whether a model is conceptually sound, fit for purpose, and performing as intended. Validation includes conceptual review, outcome analysis, benchmarking, sensitivity testing, and review of documentation. See also: Model risk management; SR 11-7; Back-testing; Model documentation. Ch. 15
Money laundering The process by which proceeds of criminal activity are disguised to appear as legitimately obtained funds, typically involving three stages: placement (introducing criminal proceeds into the financial system), layering (obscuring the trail through complex transactions), and integration (merging cleaned funds into legitimate commerce). See also: AML; Layering; Smurfing; Transaction monitoring; SAR. Ch. 7
Monitoring (ongoing) The continuous or periodic review of customer relationships, transactions, and behaviors to identify changes in risk profile, suspicious activity, or compliance breaches after initial onboarding. Ongoing monitoring is a regulatory obligation under AML frameworks and includes both automated transaction monitoring and periodic customer reviews. See also: Transaction monitoring; KYC; Customer risk rating; AML. Ch. 6
Multi-cloud strategy The use of services from two or more cloud providers to avoid dependency on a single vendor, improve resilience, optimize cost, and maintain regulatory compliance where data residency requirements prevent exclusive use of one provider. See also: Cloud compliance; Vendor concentration risk; Operational resilience. Ch. 27
N
Named Entity Recognition (NER) An NLP technique that identifies and classifies named entities — such as people, organizations, locations, financial instruments, and dates — in unstructured text. In RegTech, NER is used to extract entities from adverse media, regulatory documents, sanction lists, and SAR narratives. See also: NLP; LLM; Adverse media screening; Sanctions screening. Ch. 23
Natural language processing (NLP) The branch of artificial intelligence concerned with enabling computers to understand, interpret, generate, and work with human language. In RegTech, NLP is applied to regulatory text analysis, adverse media screening, SAR narrative generation, communications surveillance, and obligation extraction from legislation. See also: LLM; NER; Machine learning; Named Entity Recognition. Ch. 4
Network analysis The application of graph theory and statistical methods to identify patterns, clusters, anomalies, and influential nodes within networks of interconnected entities. In financial crime, network analysis uncovers transaction structuring patterns, corporate ownership webs, and coordination among accounts. See also: Graph analytics; Knowledge graph; Anomaly detection. Ch. 9
Neural network A machine learning model inspired by the structure of biological neural systems, consisting of layers of interconnected nodes (neurons) that process input data through weighted connections and activation functions. Deep neural networks with many layers are the foundation of deep learning. See also: Deep learning; Machine learning; Black-box model. Ch. 4
NIS2 Directive The EU's Network and Information Security Directive (2022/2555), which replaces the original NIS Directive and broadens its scope to include more sectors and entities, increases security and reporting obligations, and strengthens supervisory enforcement. Financial services entities subject to DORA are largely exempted from NIS2 obligations that overlap with DORA. See also: DORA; Cybersecurity; Operational resilience. Ch. 33
NIST CSF (Cybersecurity Framework) The voluntary framework developed by the US National Institute of Standards and Technology that provides a set of standards, guidelines, and best practices for managing cybersecurity risk, organized around five functions: Identify, Protect, Detect, Respond, and Recover. Widely adopted in financial services as a reference architecture. See also: Operational resilience; DORA; ICT risk management. Ch. 33
No-action letter A formal statement by a regulatory agency that it will not take enforcement action against a specific entity or activity under described circumstances. In the US, no-action letters from the SEC, CFTC, and other agencies provide regulatory certainty for innovative products or processes and are a de facto innovation policy tool. See also: Regulatory sandbox; Digital regulation; SupTech. Ch. 31
O
Obligation extraction The NLP task of automatically identifying and extracting specific legal or regulatory obligations — typically expressed as "must," "shall," or "required" — from the text of regulations, directives, or policies and mapping them to internal controls. See also: NLP; LLM; Digital regulation; Regulatory horizon scanning. Ch. 23
OFAC (Office of Foreign Assets Control) The US Treasury bureau that administers and enforces economic and trade sanctions programs based on US foreign policy and national security goals. OFAC designates sanctioned individuals and entities, maintains the SDN (Specially Designated Nationals) list, and can levy substantial civil and criminal penalties for sanctions violations. See also: Sanctions screening; Watchlist; Real-time screening; Extraterritoriality. Ch. 8
Opacity (algorithmic) The characteristic of an algorithmic system whose internal workings, decision criteria, or reasoning cannot be examined, understood, or explained by affected parties, regulators, or the public. Opacity creates accountability and fairness risks, and is addressed through XAI requirements and model documentation standards. See also: Explainable AI; Black-box model; Interpretability. Ch. 34
Open Finance An extension of open banking principles to a broader set of financial products and data — including investments, pensions, insurance, and mortgages — allowing customers to share data with authorized third parties through standardized APIs to enable personalized services and easier switching. See also: API; Open Banking; Data portability; GDPR. Ch. 28
Operational resilience The ability of a firm to prevent, adapt to, respond to, recover from, and learn from disruptions that could affect the critical services it provides to customers and the financial system. The UK PRA and FCA's operational resilience framework requires firms to identify critical business services, set impact tolerances, and demonstrate that they can remain within those tolerances. See also: Business continuity plan; Impact tolerance; DORA; Recovery time objective. Ch. 33
Operational risk The risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events. Basel II/III established operational risk as a distinct pillar of the capital framework and requires banks to hold capital against it. Technology risk, cyber risk, and fraud are subcategories. See also: Basel III/IV; ICT risk management; Business continuity plan. Ch. 12
Over-fitting The condition in which a machine learning model has learned the specific patterns and noise in its training dataset so well that it performs poorly on new, unseen data. Over-fitted models have low training error but high generalization error and fail in production. See also: Machine learning; Model validation; Drift (model). Ch. 4
P
Passporting The EU/EEA mechanism allowing a financial firm authorized in one member state to provide services and establish branches across other member states without needing separate authorization in each, based on the single market principle of mutual recognition. Brexit terminated UK firms' passporting rights into the EU. See also: Extraterritoriality; Digital regulation. Ch. 2
PEP (Politically Exposed Person) An individual who holds or has held a prominent public position — such as a head of state, government minister, senior military officer, or senior executive of a state-owned enterprise — and whose position may make them susceptible to corruption or misuse of public funds. PEPs and their close associates are subject to enhanced due diligence under AML legislation. See also: Enhanced due diligence; Customer risk rating; Customer due diligence. Ch. 10
Placement (money laundering) The first stage of money laundering, in which criminal proceeds are physically introduced into the financial system — for example, by depositing cash, purchasing financial instruments, or converting funds to cryptocurrency. Placement is typically the most vulnerable stage from a detection perspective. See also: Money laundering; Layering; AML. Ch. 7
Policy-as-code The representation of regulatory rules or compliance requirements in machine-executable format, enabling automated compliance checking, direct regulatory reporting, and machine-to-machine communication between regulated entities and regulatory systems. Policy-as-code is the vision underpinning digital regulatory reporting initiatives. See also: Digital regulation; SupTech; XBRL; Regulatory reporting. Ch. 39
Population Stability Index (PSI) A statistical measure of the shift in the distribution of a model's input features or output scores between two time periods or populations, used to detect model drift. A PSI above a defined threshold triggers model review or recalibration. See also: Model drift; Calibration; Model validation. Ch. 15
Post-trade transparency The regulatory requirement for immediate or near-real-time public disclosure of the details of executed trades — including price, volume, and instrument — enabling market participants to assess fair pricing. Under MiFID II/MiFIR, post-trade transparency rules apply to equity and non-equity instruments traded on regulated venues. See also: MiFID II; MiFIR; Pre-trade transparency; APA. Ch. 20
Pre-trade controls Risk management checks applied to orders before they are submitted to a trading venue, designed to prevent erroneous orders, fat-finger errors, and breaches of market or position limits. MiFID II requires firms engaged in algorithmic trading to have pre-trade controls that operate at the order and firm level. See also: Algorithmic trading; Kill switch; MiFID II. Ch. 21
Pre-trade transparency The requirement for trading venues and systematic internalisers to publicly display bid and offer prices before trades are executed, enabling investors to assess available liquidity and pricing. Under MiFID II/MiFIR, pre-trade transparency rules apply to equity and non-equity instruments, with a limited set of waivers for qualifying orders. See also: MiFID II; MiFIR; Post-trade transparency; Dark pool. Ch. 20
Privacy by design The principle — originally articulated by Ann Cavoukian and embedded in GDPR — that privacy protections should be built into the design and architecture of information systems from the outset, not added as an afterthought. Privacy by design requires default privacy settings, end-to-end security, and respect for user privacy throughout the data lifecycle. See also: GDPR; Compliance-by-design; Ethics by design. Ch. 17
Proliferation financing The provision of funds or financial services to support the development, acquisition, or transfer of weapons of mass destruction. Combating proliferation financing is the third pillar of the FATF framework, alongside AML and counter-terrorism financing. See also: FATF; AML; Sanctions screening. Ch. 7
Proportionality principle The regulatory principle that compliance obligations and supervisory expectations should be calibrated to the nature, scale, and complexity of an organization, so that smaller or simpler entities are not subjected to disproportionate compliance burdens relative to the risks they pose. Proportionality is a foundational principle of the EU AI Act and DORA. See also: Risk-based approach; RegTech; Change management. Ch. 2
Prudential regulation A category of financial regulation focused on ensuring the safety and soundness of individual financial institutions to protect depositors, policyholders, and the financial system, primarily through capital, liquidity, and risk management requirements. Contrasted with conduct regulation, which focuses on how firms treat customers. See also: Basel III/IV; Operational resilience; Capital adequacy. Ch. 2
R
Random forest An ensemble machine learning algorithm that builds multiple decision trees using random subsets of training data and features, with final predictions determined by averaging (for regression) or majority vote (for classification) across trees. Random forests are widely used in fraud detection and credit risk due to their robustness and resistance to overfitting. See also: Decision tree; Ensemble model; Gradient boosting. Ch. 4
Real-time screening The process of checking a transaction, customer, or counterparty against watchlists, sanctions lists, or other risk databases at the moment of the event (e.g., at payment initiation) rather than in overnight batch runs, enabling the blocking of prohibited transactions before they are processed. See also: Sanctions screening; Watchlist; OFAC. Ch. 8
Record retention The regulatory requirement to retain specified records — including transaction records, communications, customer files, and compliance documentation — for defined minimum periods and to make them available to regulators on request. Retention periods vary by regulation and jurisdiction, ranging from 5 to 10 years in most financial services contexts. See also: Audit trail; Data governance; GDPR. Ch. 5
Recovery time objective (RTO) The maximum acceptable period within which a business function or IT system must be restored following a disruption, as defined in a business continuity plan. RTOs drive infrastructure investment decisions and form part of operational resilience impact tolerance assessments. See also: Business continuity plan; Operational resilience; Impact tolerance. Ch. 33
RegTech (Regulatory Technology) Technology applied to the challenge of complying with financial regulation more effectively, efficiently, and accurately. RegTech encompasses solutions for KYC/AML, regulatory reporting, risk management, compliance monitoring, and regulatory horizon scanning. See also: SupTech; Compliance maturity; Digital regulation. Ch. 1
Regulatory horizon scanning The process of systematically monitoring, identifying, and assessing upcoming regulatory changes — including consultations, proposed rules, and legislative developments — to enable organizations to plan and implement compliance changes proactively. NLP tools are increasingly used to automate horizon scanning from regulatory publications. See also: NLP; LLM; Digital regulation; Change management. Ch. 23
Regulatory reporting The structured disclosure of specified data by regulated entities to supervisory authorities, covering areas such as capital adequacy, liquidity, large exposures, transactions, and misconduct. Regulatory reporting is a major operational and technology cost for financial institutions, driving significant RegTech investment. See also: XBRL; MiFIR; LEI; Golden source; Data lineage. Ch. 13
Regulatory sandbox A controlled environment established by a regulatory authority that allows innovators to test new products, services, or business models under a relaxed regulatory regime and active supervisory engagement, without full authorization requirements applying immediately. Sandboxes provide regulatory certainty for innovators while enabling regulators to learn about new technologies. See also: RegTech; SupTech; No-action letter. Ch. 31
Risk-based approach The regulatory principle that compliance resources, due diligence intensity, and monitoring should be proportionate to the level of money laundering, terrorism financing, or other risk posed by different customers, products, geographies, and channels. The risk-based approach is the cornerstone of FATF's standards and modern AML frameworks. See also: Customer risk rating; Customer due diligence; Enhanced due diligence; FATF. Ch. 7
Risk appetite The amount and type of risk that an organization is willing to accept in pursuit of its strategic objectives, as formally defined and communicated by the board and senior management. In compliance, risk appetite statements define the tolerance for regulatory breaches, financial crime incidents, and technology failures. See also: Operational risk; Model risk management. Ch. 35
Robotic Process Automation (RPA) Software technology that automates repetitive, rules-based digital tasks — such as data entry, report extraction, and file transfers — by mimicking user interactions with applications at the interface level, without requiring integration with underlying systems. RPA is widely used to automate manual compliance workflows. See also: Automation; RegTech; Change management. Ch. 4
RTS (Regulatory Technical Standards) Legally binding technical specifications issued by European Supervisory Authorities (EBA, ESMA, EIOPA) pursuant to mandates in EU legislation, providing detailed rules for implementing directive or regulation requirements. RTS undergo public consultation and are adopted as Commission delegated regulations. See also: MiFID II; DORA; GDPR; Regulatory reporting. Ch. 2
Right to explanation The principle — referenced in GDPR Recital 71 and Article 22 — that individuals subject to solely automated decisions that significantly affect them have the right to obtain an explanation of the logic involved and to contest the decision. The precise legal scope of this right is debated, but it has driven significant XAI investment. See also: Automated decision-making; Explainable AI; Adverse action notice; GDPR. Ch. 17
S
SAR (Suspicious Activity Report) A mandatory report filed by financial institutions with the relevant national financial intelligence unit (e.g., FinCEN in the US, NCA in the UK) when they know, suspect, or have reasonable grounds to suspect that a customer has engaged in money laundering, terrorism financing, or other specified offenses. Filing a SAR is subject to strict confidentiality requirements to prevent tipping off. See also: Tipping off; AML; Case management; FinCEN. Ch. 11
Sanctions screening The process of checking customer names, entities, and transactions against lists of sanctioned individuals, organizations, vessels, and countries maintained by bodies such as OFAC, the EU, UN, and UK OFSI. Screening uses fuzzy matching algorithms because names on sanction lists and in customer records may not match exactly. See also: OFAC; Watchlist; Fuzzy matching; Real-time screening; False positive. Ch. 8
Scenario analysis A forward-looking risk assessment method that evaluates the potential impact of defined plausible adverse events or conditions on an institution's financial position, operational resilience, or compliance status. Scenario analysis is required for operational risk capital under Basel III/IV, stress testing, and DORA operational resilience assessments. See also: Stress testing; Operational risk; Basel III/IV. Ch. 16
Sensitivity analysis An examination of how changes in individual model inputs or assumptions affect model outputs, used to identify key drivers of results and test the robustness of model estimates. Distinct from scenario analysis, sensitivity analysis typically varies one factor at a time. See also: Scenario analysis; Model validation; Stress testing. Ch. 16
SHAP (SHapley Additive exPlanations) A unified framework for model interpretability based on game-theoretic Shapley values that assigns each input feature a contribution score for each individual prediction, enabling both global (average across all predictions) and local (single prediction) explanations. SHAP is the leading XAI technique for tabular data models. See also: Explainable AI; Feature importance; Waterfall (SHAP); LIME; Counterfactual explanation. Ch. 26
Shared responsibility model The framework used by cloud providers to delineate which security, compliance, and operational responsibilities are managed by the cloud provider and which remain with the customer. Regulated entities must understand the boundary to ensure their compliance obligations are fully covered. See also: Cloud compliance; ICT third-party provider; DORA. Ch. 27
Simplified due diligence (SDD) A reduced level of customer due diligence that may be applied to customers presenting very low money laundering risk, such as regulated financial institutions, listed companies, or government bodies, in accordance with a risk-based approach. SDD typically involves reduced verification requirements and less frequent reviews. See also: Customer due diligence; Risk-based approach; Enhanced due diligence. Ch. 10
Smart contract A self-executing piece of code deployed on a blockchain that automatically enforces the terms of an agreement when predefined conditions are met, without requiring human intermediation. Smart contracts are explored for compliance automation, including automated regulatory reporting, covenant enforcement, and Travel Rule compliance. See also: Blockchain; DeFi; Travel Rule. Ch. 24
Smurfing A money laundering technique in which large sums of cash are divided into smaller amounts — typically below reporting thresholds — and deposited into multiple bank accounts by multiple individuals ("smurfs") to avoid transaction reporting requirements. Also known as structuring. See also: Money laundering; Layering; Transaction monitoring. Ch. 7
Spoofing A manipulative trading practice in which a trader places large orders with the intent of canceling them before execution, creating a false impression of supply or demand to influence prices and profit from the movement. Spoofing is prohibited under MAR in the EU and the Dodd-Frank Act in the US, and is a primary focus of algorithmic trade surveillance. See also: Market manipulation; MAR; Layering (trading); Surveillance (trade). Ch. 22
SR 11-7 The Federal Reserve's Supervisory Letter 11-7, "Guidance on Model Risk Management" (2011), which established the foundational US framework for model risk management in banking institutions, covering model development, implementation, validation, governance, and ongoing monitoring. SR 11-7 is referenced throughout supervisory examinations and forms the backbone of MRM programs at US-regulated banks. See also: Model risk management; Model validation; Model documentation. Ch. 15
STOR (Suspicious Transaction and Order Report) The report that investment firms and market participants are required to file with their national competent authority under MAR when they reasonably suspect that a transaction or order involves insider dealing, market manipulation, or attempted market abuse. STORs are distinct from SARs, which are filed under AML legislation. See also: MAR; SAR; Surveillance (trade). Ch. 19
Stress testing A quantitative analysis technique that evaluates an institution's financial resilience under severe but plausible adverse scenarios, including economic downturns, market crashes, and operational disruptions. Regulatory stress tests (e.g., DFAST, EBA stress tests) assess whether institutions maintain adequate capital under prescribed adverse conditions. See also: Scenario analysis; Sensitivity analysis; Basel III/IV; Credit risk. Ch. 16
Structuring See Smurfing. Ch. 7
SupTech (Supervisory Technology) The application of technology by regulatory and supervisory authorities to enhance their monitoring, supervision, analysis, and enforcement capabilities. SupTech encompasses regulatory data analytics platforms, machine-readable reporting systems, natural language processing for document review, and AI-based examination tools. See also: RegTech; Digital regulation; Policy-as-code. Ch. 3
Supervised learning A machine learning paradigm in which a model is trained on a labeled dataset of input-output pairs, learning to predict the output label for new inputs. Supervised learning is used for credit scoring, fraud detection, and transaction monitoring alert prioritization. See also: Machine learning; Unsupervised learning; Feature engineering. Ch. 4
Surveillance (trade) The ongoing monitoring and analysis of trading activity, order flow, and communications to detect potential market abuse, including insider dealing, market manipulation, spoofing, and front-running. Trade surveillance systems employ both rules-based detection and machine learning pattern recognition. See also: MAR; Spoofing; Market manipulation; Layering (trading); Agent-based monitoring. Ch. 19
Synthetic data Artificial data generated by algorithms to replicate the statistical properties of real datasets without containing actual personal or sensitive information. In RegTech, synthetic data is used for model training and testing when real training data is limited, sensitive, or subject to sharing restrictions, and for stress testing scenario data. See also: Machine learning; Model validation; Privacy by design. Ch. 25
Systematic Internaliser (SI) An investment firm that, on an organized, frequent, systematic, and substantial basis, deals on its own account by executing client orders outside a regulated market, MTF, or OTF. Under MiFID II, SIs have transparency and non-discrimination obligations. See also: MiFID II; Pre-trade transparency; Post-trade transparency. Ch. 20
T
Target Operating Model (TOM) A blueprint describing the desired future state of an organization's people, processes, technology, and governance structures to achieve its strategic objectives. RegTech program design typically begins with a TOM that defines the desired state of compliance operations and the role of technology within it. See also: Change management; RegTech; Compliance maturity. Ch. 35
Third-line of defence In the three lines of defence model, the internal audit function, which provides independent assurance to the board and senior management that first-line (business) and second-line (risk and compliance) controls are appropriately designed and operating effectively. See also: Model risk management; Governance (model). Ch. 35
Three lines of defence A governance model widely used in financial services that assigns risk management responsibilities to three distinct organizational layers: the first line (business operations) owns and manages risks; the second line (risk, compliance, and legal functions) sets policy, oversees risk management, and provides challenge; and the third line (internal audit) provides independent assurance. See also: Model risk management; Data governance; Operational risk. Ch. 35
Tipping off The criminal offense of disclosing to a person who is or was the subject of a suspicious activity report that such a report has been made, or that an investigation is underway. Financial institutions are prohibited from tipping off suspects and must train staff carefully to avoid inadvertent disclosure. See also: SAR; AML; Case management. Ch. 11
TLPT (Threat-Led Penetration Testing) Advanced, intelligence-led cybersecurity testing in which red teams simulate the tactics, techniques, and procedures of realistic threat actors to test an organization's critical systems and defenses. Under DORA, financial entities above certain size and systemic importance thresholds must conduct TLPT at least every three years. See also: DORA; ICT risk management; Operational resilience. Ch. 33
Transaction monitoring The automated or semi-automated process of reviewing financial transactions to detect patterns, behaviors, or individual transactions that may indicate money laundering, terrorist financing, fraud, or other financial crime. Transaction monitoring is a core AML obligation and is a major focus of RegTech investment. See also: AML; False positive; Alert fatigue; SAR; Case management. Ch. 7
Transaction reporting The submission of data about financial transactions to regulatory authorities for oversight and surveillance purposes. Under MiFIR, investment firms must report transactions in financial instruments to their national competent authority using defined fields and formats. Distinct from post-trade transparency (public disclosure). See also: MiFIR; LEI; Regulatory reporting; ARM. Ch. 13
Transfer learning A machine learning technique in which a model pre-trained on a large general dataset (such as a large language model trained on internet text) is adapted to a specific downstream task using a smaller domain-specific dataset. Transfer learning dramatically reduces the data and compute requirements for specialized applications, enabling high-performance compliance NLP models with limited regulatory training data. See also: LLM; NLP; Machine learning. Ch. 23
Travel Rule The FATF Recommendation 16 requirement that financial institutions and, increasingly, virtual asset service providers (VASPs) must transmit identifying information about the originator and beneficiary of transfers above a defined threshold (typically USD/EUR 1,000) to the next financial institution in the transaction chain. See also: FATF; AML; Blockchain; Crypto compliance. Ch. 24
True positive rate The proportion of genuinely positive (suspicious, fraudulent, or problematic) cases that are correctly identified by a model or screening system. Also known as sensitivity or recall. A high true positive rate is essential for compliance effectiveness, and must be balanced against the false positive rate. See also: False positive rate; False negative; Precision-recall. Ch. 7
U
UBO (Ultimate Beneficial Owner) The natural person who is the ultimate owner or controller of a legal entity, at the end of a chain of ownership or control. Identifying the UBO is the core obligation of beneficial ownership due diligence requirements. See also: Beneficial ownership; Customer due diligence; KYC; Corporate Transparency Act. Ch. 9
UBO registry A centralized national or regional database that records the beneficial ownership information of legal entities, making it accessible to financial institutions, regulatory authorities, and (in some jurisdictions) the public. The EU's 4th and 5th AML Directives required member states to establish UBO registries. See also: Beneficial ownership; UBO; Beneficial ownership; GLEIF. Ch. 9
Unexplainability The condition in which an automated decision-making system cannot provide a comprehensible account of its reasoning, whether due to technical complexity, proprietary constraints, or fundamental opacity. Unexplainability is a regulatory and ethical problem in high-stakes compliance and credit decisions. See also: Explainable AI; Black-box model; Opacity; Right to explanation. Ch. 34
Universal ownership The concept that large institutional investors, by virtue of owning diversified portfolios across virtually the entire economy, have a financial interest in the health of the overall economic system — not just individual securities — creating incentives to engage with systemic risks such as climate change and financial instability. See also: Algorithmic fairness; Virtue ethics. Ch. 34
Unsupervised learning A machine learning paradigm in which models identify patterns, clusters, or structures in unlabeled data without predefined output categories. In compliance, unsupervised learning is used for anomaly detection, customer segmentation, and discovering novel transaction patterns not captured by existing typologies. See also: Machine learning; Supervised learning; Anomaly detection; Isolation Forest. Ch. 4
User acceptance testing (UAT) The final phase of software testing in which end users verify that a system meets their requirements and is fit for operational use before go-live. In RegTech implementations, UAT is critical because compliance teams must confirm that systems are detecting the right risk signals, producing correct reports, and supporting regulatory obligations accurately. See also: Change management; Hypercare; Model validation. Ch. 36
V
Validation (model) See Model validation. Ch. 15
Value at Risk (VaR) A statistical measure of the potential loss on a portfolio over a defined time horizon at a specified confidence level, widely used in market risk measurement and regulatory capital calculation. Limitations of VaR under stressed conditions contributed to its partial replacement by Expected Shortfall (ES) under Basel III. See also: Basel III/IV; Market risk; Stress testing. Ch. 14
Vendor concentration risk The risk arising from an organization's reliance on a small number of — or in the extreme case, a single — external vendors for critical services or infrastructure, such that the failure of one vendor could cause systemic operational disruption. Regulators have highlighted cloud provider concentration as a systemic financial stability risk. See also: Concentration risk; ICT third-party provider; Critical Third-Party Provider; Operational resilience. Ch. 27
Vendor due diligence The structured process of assessing a prospective or existing technology vendor's financial stability, security posture, regulatory standing, business continuity capabilities, and contractual protections before engagement or as part of ongoing oversight. DORA and operational resilience frameworks require documented vendor due diligence for ICT third-party providers. See also: ICT third-party provider; Vendor concentration risk; DORA. Ch. 36
Virtue ethics An ethical framework — originating with Aristotle — that focuses on the character and motivations of the moral agent rather than rules or consequences. Applied to RegTech and automated decision-making, virtue ethics asks what a person (or organization) of good character would build and how they would deploy algorithmic systems. See also: Ethics by design; Algorithmic fairness. Ch. 34
W
Watchlist A database or list of individuals, entities, vessels, or countries that are subject to sanctions, restrictions, enforcement actions, or elevated due diligence requirements. Watchlists include OFAC's SDN list, EU consolidated sanctions list, UN sanctions list, PEP databases, and adverse media databases. Screening against watchlists is a core KYC and AML obligation. See also: Sanctions screening; OFAC; Fuzzy matching; Real-time screening; PEP. Ch. 8
Waterfall (SHAP) A type of SHAP visualization that displays, for a single prediction, the contribution of each feature to the movement of the model output from the expected base value to the final prediction, showing which features pushed the prediction higher and which pushed it lower. Waterfall charts are a key tool for communicating individual model decisions to compliance staff and customers. See also: SHAP; Explainable AI; Feature importance. Ch. 26
Weighting (model) The numerical parameters assigned to input features within a model that determine the relative influence of each feature on the model's output. In logistic regression, feature weights are explicit and directly interpretable; in neural networks and ensemble models, the concept of individual feature weights is more diffuse. See also: Feature importance; SHAP; Machine learning. Ch. 4
X
XBRL (eXtensible Business Reporting Language) A global open standard for digital business reporting that allows financial and non-financial data to be tagged with machine-readable labels according to standardized taxonomies, enabling automated extraction, validation, and analysis by regulators and data consumers. XBRL is used in regulatory reporting frameworks including the EBA's COREP/FINREP, SEC filings, and ESMA reporting. See also: Regulatory reporting; Digital regulation; LEI; SupTech. Ch. 13
XAI (Explainable Artificial Intelligence) See Explainable AI. Ch. 26
XGBoost An open-source, optimized gradient boosting library widely used in RegTech, fraud detection, and credit risk modelling for its high predictive performance, speed, and handling of missing values. XGBoost models require XAI techniques such as SHAP to provide explanations for individual predictions. See also: Gradient boosting; SHAP; Black-box model; Machine learning. Ch. 4
Z
Zero-day vulnerability A software security flaw that is unknown to the vendor and for which no patch exists at the time of discovery, giving attackers potential access to systems before defenses can be updated. Financial institutions and RegTech vendors must have vulnerability disclosure and rapid response processes to manage zero-day risks within ICT risk management frameworks. See also: ICT risk management; DORA; Operational resilience. Ch. 33
This glossary covers 220+ terms as used throughout the textbook. Definitions reflect the specific usage within a financial services and RegTech context; some terms carry different meanings in other disciplines. Where regulatory definitions are authoritative, those definitions are followed. For abbreviations and acronyms, see the corresponding full-entry definition. All cross-references are to other entries within this glossary.