Key Takeaways
Chapter 7: AML Transaction Monitoring: Rules-Based vs. AI-Driven Approaches
Core Concept
AML transaction monitoring is the mechanism by which financial institutions systematically review financial transactions to identify suspicious activity warranting SAR filing. Its central operational challenge is the false positive problem: alert volumes far exceed the capacity for thorough human review.
Essential Points
1. The Three Stages of Money Laundering Frame Detection Strategy - Placement: Introducing criminal proceeds into the financial system — the highest-risk moment for launderers, most visible to monitoring systems - Layering: Obscuring the money trail through complex transaction sequences across jurisdictions and instruments - Integration: Reintroducing laundered funds into the legitimate economy in apparently legitimate form - Transaction monitoring is most effective at detecting placement and layering patterns; integration is harder to catch through transaction monitoring alone
2. Rules-Based Systems: Transparent but Limited - A scenario is a combination of rules defining a suspicious pattern: conditions applied to transaction data that, when met, generate an alert - Rules are transparent, auditable, and directly linked to regulatory typologies — valuable for regulatory examination - The tuning challenge is fundamental: every threshold decision trades off false positives against missed genuine suspicion - Parameters must be recalibrated as customer populations and transaction patterns evolve — a 2020 calibration may be wrong by 2024 - Rules cannot detect patterns their designers did not anticipate: unknown typologies, novel layering techniques, emergent criminal methods
3. ML Systems: Sophisticated but Requiring Governance - ML produces a risk score (0.0–1.0) rather than a binary flag — enabling risk-weighted alert prioritization rather than flat alert queues - ML can detect complex, non-linear combinations of features that no individual rule could express - Critical requirement: training data quality. A model trained on confirmed SAR cases learns what past suspicious activity looked like — not necessarily what future suspicious activity will look like - ML requires explainability attention: regulators need to understand why alerts were generated. SHAP values and similar techniques address this - Class imbalance is the norm in AML data: genuine suspicious activity is rare, making precision/recall optimization challenging
4. Hybrid Architecture: The Practical Solution - Most sophisticated programs use a layered approach: - Rules-based layer: known typologies, regulatory-required scenarios (structuring, CTR-adjacent patterns) - ML layer: novel patterns, risk scoring, alert prioritization - Priority-weighted queue: highest-risk alerts reviewed first regardless of detection method - Hybrid architecture provides regulatory transparency (rules layer) while benefiting from ML sophistication (scoring layer)
5. The False Positive Problem Is a Compliance Risk - False positive rates of 90–98% are common in rule-based programs — meaning most analyst time is spent on legitimate transactions - High false positive rates create their own compliance risk: analysts overwhelmed by false positives review each alert less carefully, increasing the probability of missing genuine suspicious activity - False positive reduction strategies: customer segmentation, threshold tuning, ML-enhanced triage, negative news pre-filtering
6. Alert Review Workflow Is As Important As Detection Technology - The human review process — how analysts investigate, document, and disposition alerts — is the second half of an AML program - Documentation quality is the primary evidence of a functioning program during regulatory examination - Key workflow metrics: alerts per analyst per day, average review time, false positive rate, SAR conversion rate, queue age - A backlog of unreviewed alerts of any age is a regulatory risk: genuine suspicious activity sits unacted upon
7. The SAR Filing Obligation Is the Central Output - The entire monitoring system exists to generate qualified referrals for SAR (US) or STR (international) filing - FATF Recommendation 20: countries must ensure financial institutions report suspicious transactions to the FIU - SAR filing is not the end of the process: effective AML programs track SAR outcomes where possible to improve model performance
Key Distinctions
| Dimension | Rules-Based | ML-Based |
|---|---|---|
| Alert type | Binary flag | Probability score |
| Explainability | High (exact rule triggered) | Moderate (feature importance) |
| Novel pattern detection | No | Yes |
| Calibration method | Threshold tuning | Model training + threshold |
| Regulatory comfort level | High | Increasing (with governance) |
| False positive rate | Typically higher | Typically lower (with good data) |
| Training data requirement | None | Substantial |
Connections to Other Chapters
- Chapter 6 (KYC): Customer risk ratings from KYC feed into transaction monitoring alert prioritization — a high-risk customer's transaction triggers different thresholds than a low-risk customer's identical transaction
- Chapter 8 (Sanctions Screening): Sanctions screening and transaction monitoring are distinct but related processes; they share the false positive management challenge
- Chapter 10 (Customer Risk Rating): Dynamic risk ratings that update based on transaction behavior create a feedback loop between monitoring and customer risk assessment
- Chapter 11 (SAR and Case Management): The output of the monitoring process is input to the SAR/case management workflow
- Chapter 26 (Explainable AI): XAI techniques (SHAP values, LIME) are specifically relevant to making ML-based AML monitoring explainable to regulators and analysts
Regulatory Reference Points
| Framework | AML/SAR Relevance |
|---|---|
| FATF Recommendation 20 | Core SAR filing obligation |
| BSA (Bank Secrecy Act) | US statutory basis for SAR filing and AML programs |
| 31 USC 5318(g) | US SAR filing requirement |
| FinCEN SAR regulations (31 CFR 1020.320) | US SAR mechanics |
| EU AMLD5/AMLD6 | EU STR obligations and AML framework |
| FCA SYSC 6.3 | UK systems and controls for financial crime |
| PRA/FCA ML Sourcebook | UK detailed AML requirements |
For Your Practice
When evaluating an AML transaction monitoring program — whether as a compliance professional, auditor, or RegTech vendor — ask:
- Coverage: Does the scenario library cover the key typologies relevant to this institution's products and customer base?
- Calibration: When were thresholds last reviewed? Against what population data?
- Alert management: What is the current alert-to-analyst capacity ratio? What is the queue age?
- False positive rate: What is the confirmed false positive rate, and how is it measured?
- ML governance: If ML is used, what is the model validation process? When was the model last retrained?
- Documentation: Is every alert review decision documented with sufficient detail to reconstruct the analysis?
- SAR output: What is the SAR conversion rate, and does it benchmark reasonably against peer institutions?
Next: Chapter 8 — Sanctions Screening: Watchlists, False Positives, and Calibration →