Chapter 7 Exercises

AML Transaction Monitoring: Rules-Based vs. AI-Driven Approaches

Exercise 7.1: Money Laundering Stage Classification

Difficulty: Introductory

For each of the following transaction patterns, identify which stage of money laundering it most likely represents (placement, layering, or integration) and briefly explain your reasoning.

a) A customer makes four cash deposits of $9,500 each on consecutive days at different branches of the same bank

b) A company purchases a $2.4 million commercial property using funds wired from three different overseas corporate accounts, then immediately leases the property to a legitimate tenant

c) A customer wires $180,000 to a currency exchange service in Cyprus, which converts it to Euros and wires it to a shell company in Luxembourg, which then purchases bearer bonds

d) A previously unemployed customer deposits $450,000 in cash over three months

e) A real estate investment company, funded through a series of wire transfers from multiple overseas sources, begins operating legitimately and distributing dividends

Exercise 7.2: Scenario Design

Difficulty: Introductory-Intermediate

Design an AML monitoring scenario (in the format used in Section 7.3) for each of the following suspicious typologies. Specify: (1) the triggering conditions, (2) the parameters that would need to be tuned, and (3) the customer populations most likely to generate false positives for this scenario.

a) Trade-based money laundering: A customer imports goods from a high-risk jurisdiction, paying amounts significantly inconsistent with the declared value of goods

b) Casino-related layering: A customer makes large cash deposits immediately following transactions with a casino or gambling establishment

c) Real estate layering: A customer makes a large wire transfer to a law firm or title company followed by receipt of a similar amount from the same entity within a short period

Exercise 7.3: False Positive Analysis

Difficulty: Intermediate

The following table shows the results of three threshold settings for a "high-value cash deposit" scenario tested against 6 months of historical data:

Threshold	Total Alerts	True Positives	False Positives	Missed Genuine
$5,000	1,240	18	1,222	0
$10,000	380	16	364	2
$15,000	95	11	84	7

a) Calculate the false positive rate, precision, and recall for each threshold setting.

b) If an analyst can review 30 alerts per day and the scenario runs weekly, how many analyst-hours per week does each threshold require?

c) The institution has 2 full-time analysts and a weekly alert budget of 40 alerts per analyst (accounting for other scenarios). Which threshold is operationally feasible?

d) The compliance officer notes that the 7 "missed genuine" cases at the $15,000 threshold represent 7 potential SARs that would not have been filed. What is the regulatory risk of this gap compared to the operational cost of the $10,000 threshold?

e) Design a customer segmentation approach that would allow the institution to use the $15,000 threshold for low-risk customer segments while maintaining the $10,000 threshold for high-risk segments.

Exercise 7.4: Alert Review Documentation

Difficulty: Intermediate

You are an AML analyst reviewing the following alert:

Alert ID: TM-2024-08847 Alert Generated: 14 August 2024, 09:32 Account: Business checking — Horizon Construction LLC Triggered By: Rapid In-and-Out scenario (Inbound > $50,000 in 5 days, Outbound > 90% within 7 days) Triggering Transactions: - 09 Aug: Inbound wire $67,500 from "Desert Sky Contractors LLC" - 09 Aug: Inbound wire $31,200 from "Mesa Property Group Inc" - 11 Aug: Outbound check $45,000 to "Ruiz Lumber Supply" - 11 Aug: Outbound check $23,000 to "Southwest Concrete Co" - 12 Aug: Outbound wire $28,000 to "Vasquez Equipment Rentals"

Customer Profile: Horizon Construction LLC, Arizona registered LLC, 3 years account history. Business purpose: general contractor. Average monthly inbound: $120,000. Sanctions screening: clear. PEP check: clear. No prior SARs on this account.

a) What additional information would you seek before making a disposition decision?

b) Based on the information available, what are the most likely explanations for this activity (both legitimate and suspicious)?

c) Write a sample alert disposition memo for this case as if you were closing it as legitimate activity, following the documentation requirements described in Section 7.7.

d) What would change your assessment to require SAR escalation?

Coding Exercise 7.5: Alert Backlog Analysis

Difficulty: Coding — Beginner

Write a Python function analyze_alert_backlog(alerts: list[dict]) -> dict that takes a list of alert records and returns key backlog metrics.

Each alert record contains:

{
    "alert_id": str,
    "generated_date": str,  # ISO format: "2024-08-14"
    "reviewed_date": str | None,  # None if not yet reviewed
    "disposition": str | None,  # "closed", "escalated", "sar_filed", or None
    "analyst_id": str | None,
    "scenario": str
}

Your function should return:

{
    "total_alerts": int,
    "reviewed_alerts": int,
    "pending_alerts": int,
    "average_review_time_days": float,  # for reviewed alerts
    "oldest_pending_age_days": int,
    "sar_conversion_rate": float,  # SARs filed / reviewed alerts
    "false_positive_rate": float,  # closed / reviewed alerts
    "by_scenario": dict  # {scenario_name: {"count": int, "reviewed": int, "sar_rate": float}}
}

Use datetime.date.today() as the reference date for unreviewed alert age calculations.

Include test data with at least 20 alerts across 3 scenarios, including some unreviewed alerts.

Coding Exercise 7.6: Scenario Threshold Optimizer

Difficulty: Coding — Intermediate

Extend the analyze_rapid_movement_scenario function from Section 7.3 to add a scoring function that helps identify the "optimal" threshold combination given a compliance officer's stated priorities.

The optimization function should: 1. Accept a priority_weight parameter (0.0 to 1.0) where 0.0 means "minimize false positives entirely" and 1.0 means "maximize recall entirely" 2. Test all combinations of thresholds from the find_optimal_threshold function 3. For each combination, calculate a weighted score: score = (priority_weight * recall) + ((1 - priority_weight) * (1 - false_positive_rate)) 4. Return the top 5 combinations ranked by this score

Test your function with priority_weight = 0.3 (compliance conservative — prioritize low false positives) and priority_weight = 0.7 (detection focused — prioritize catching suspicious activity). Compare the results and discuss the operational implications.

Applied Exercise 7.7: Program Design — Capacity Planning

Difficulty: Applied

The compliance director at a community bank is designing a new AML transaction monitoring program. The bank processes an average of 4,200 transactions per day across 12,000 customer accounts. Current monitoring system data suggests the following:

Proposed scenario library: 8 scenarios
Expected alert rate: 0.8% of transactions per week (weekly batch monitoring)
Expected false positive rate: 92%
Expected analyst review time: 25 minutes per alert
Available compliance analyst capacity: 2 FTE analysts, each working 40 hours/week
Analyst time allocated to transaction monitoring: 60% of total hours (remainder for other AML tasks)

a) Calculate the expected weekly alert volume.

b) Calculate the weekly analyst capacity (in hours) available for alert review.

c) How many alerts can the analyst team review per week given the time estimate?

d) Is the current analyst capacity sufficient? If not, what is the shortfall?

e) The director is evaluating an ML triage tool that promises to reduce the false positive rate from 92% to 75% by auto-closing low-risk alerts before human review. Assuming alert volume stays the same, how does this change the calculation?

f) What additional metrics would you collect in the first 90 days of operation to validate these projections?

Research Exercise 7.8: Regulatory Expectations for ML in AML

Difficulty: Research-required

The use of ML in AML transaction monitoring is increasingly common but regulatory expectations remain an evolving area.

Research the following and write a 500-word summary:

a) What guidance have US regulators (FinCEN, OCC, FDIC, Federal Reserve) provided on the use of AI/ML in AML programs? (Hint: Look for the December 2018 joint statement on AI/ML in AML and the December 2021 Joint Statement on Artificial Intelligence.)

b) How do FCA expectations (UK) regarding AML systems and controls address the use of automated monitoring?

c) What is the Wolfsberg Group's position on AI/ML in financial crime compliance?

d) Based on your research, what are the three most important governance requirements a financial institution should implement when deploying ML in an AML monitoring program?