Case Study 01: Cornerstone's AML System — When Monitoring Creates Disparate Impact

Background

Cornerstone Bank is a mid-sized UK retail bank serving approximately 2.1 million personal customers. Like all UK credit institutions, Cornerstone operates a transaction monitoring system to identify potentially suspicious activity and generate alerts for review by its financial crime team. The system feeds Cornerstone's SAR (Suspicious Activity Report) filing process: when an alert is reviewed and a financial crime analyst determines there are grounds for suspicion, a SAR is submitted to the National Crime Agency under the Proceeds of Crime Act 2002.

Three years ago, Cornerstone's financial crime team conducted an exercise to calibrate the transaction monitoring system's alert thresholds. The exercise was data-driven and technically sound: the team reviewed historical SARs and filed reports to identify the characteristics of transactions associated with confirmed money mule activity. One of the strongest predictive signals they identified was the account's registered postcode. Accounts opened with addresses in certain postcodes — which the financial crime team had internally labelled "high-risk zones" based on their historical SAR rates — were associated with substantially higher rates of confirmed money mule activity in the historical data. The team responded logically: they applied lower alert thresholds to accounts in these postcodes, meaning that transactions on those accounts triggered review at smaller amounts and with less unusual transaction patterns than accounts in other postcodes.

The system has been running for three years. From a pure detection perspective, it has performed well: SAR volumes from high-risk postcodes have been consistently elevated, and the conversion rate from alert to filed SAR in those postcodes is materially higher than in others.

The Problem

Cornerstone's new Head of Compliance, Elena Marchetti, begins a compliance effectiveness review six months into her role. One of her first requests is a breakdown of SAR filings by demographic characteristics — specifically, whether the postcode distribution of SARs correlates with the demographic composition of those areas. She is aware that postcode is a commonly used proxy variable that may encode demographic characteristics, and she wants to understand whether this is happening in Cornerstone's monitoring programme.

The analysis takes two weeks. When the results come back, they are unambiguous and disturbing. The postcodes designated as "high-risk zones" have a significantly higher proportion of residents identifying as immigrants or from ethnic minority communities compared to Cornerstone's broader customer base. Customers with accounts registered to these postcodes are being subject to AML monitoring at lower thresholds — in effect, they are being monitored more intensely for the same transaction behaviour as customers in other areas. As a result, they are being SARed at 4.2 times the rate of customers with similar financial profiles in other postcodes.

Elena asks the obvious question: is the higher SAR rate in these postcodes because customers in those areas are more likely to be money mules, or because those customers are monitored more intensely? The answer requires disentangling two things that the historical data cannot easily separate: genuine risk levels and monitoring intensity.

The financial crime team's view is that the elevated SAR rates are evidence of genuine elevated risk — the monitoring thresholds were set in response to historical SAR patterns, and the continuing elevated SAR rates validate the calibration. But Elena presses further. Where did the historical SAR patterns come from? They came from a previous generation of monitoring that had also applied lower thresholds to those postcodes. Where did that monitoring calibration come from? The financial crime team goes back through the documentation. They find that Cornerstone's first postcode-based threshold adjustment was made in 2009 — and that 2009 calibration was based partly on manual review patterns from 2006 to 2008, a period when, it emerges, Cornerstone's branch-level staff were flagging accounts in certain areas for extra scrutiny based on informal guidance that has not been formally documented.

Elena recognises what she is looking at. The elevated SAR rates in these postcodes do not necessarily reflect elevated genuine risk. They reflect elevated monitoring — monitoring that was itself calibrated on earlier elevated monitoring that traces, at some point in the historical chain, to informal human judgements about which communities warranted extra scrutiny. The data tells Cornerstone that these customers are "riskier." But the data is measuring monitoring intensity, not risk. This is measurement bias in its most consequential form: a self-reinforcing feedback loop that has been running for at least fifteen years, creating the statistical appearance of elevated risk where the underlying reality may be substantially different.

The consequences for real customers are serious. Customers in these postcodes are not prevented from banking — they are not having accounts closed, at least not in large numbers. But they are subject to enhanced monitoring, which means more frequent contact from the financial crime team, more requests for documentation to explain transactions, and more filings with the NCA. Being SARed does not in itself harm a customer directly — SARs are confidential. But it affects Cornerstone's internal risk designation of the account, which in some cases has led to account restrictions, enhanced due diligence requirements, and exit from the bank.

Regulatory Dimensions

The postcode-based threshold system raises issues under multiple regulatory frameworks. The FCA's Consumer Duty requires Cornerstone to deliver good outcomes for all customers. Customers in the affected postcodes are receiving systematically more intrusive treatment — and in some cases adverse financial service outcomes — based on an algorithm that was calibrated on data reflecting measurement bias rather than genuine risk. The Equality Act 2010 is engaged because the postcode distribution correlates significantly with race and national origin; the indirect discrimination analysis is formally identical to any other case where a neutral-seeming criterion has a disproportionate adverse impact on people of a protected characteristic.

The anti-money laundering context introduces a complication. AML monitoring is a legal obligation, and its purpose — preventing financial crime — is a legitimate aim under the Equality Act. A firm can potentially justify indirect discrimination where it is a proportionate means of achieving a legitimate aim. But proportionality requires that the discriminatory impact be no greater than necessary to achieve the aim, and that the firm has considered whether less discriminatory alternatives exist. Cornerstone has not done either analysis. The threshold calibration was done without considering demographic impact at all. And the firm has not assessed whether the elevated SARs from affected postcodes represent a genuinely higher conversion rate to confirmed criminal activity, or simply a higher rate of alerts reviewed and filed.

Discussion Questions

1. Elena's root cause analysis reveals that the 2009 postcode calibration was itself based on monitoring patterns that trace back to informal, undocumented human judgements. How does this illustrate the mechanism of measurement bias in practice? What would be needed to determine whether the postcode-based risk signal reflects genuine elevated fraud rates or monitoring intensity?

2. The financial crime team argues that the elevated SAR rates in affected postcodes validate the threshold calibration — high SARs confirm high risk. Critically evaluate this argument. What additional data or analysis would be needed to assess whether this interpretation is correct or whether it reflects circular reasoning?

3. Cornerstone is operating under both AML obligations and Equality Act obligations simultaneously. The legitimate aim of preventing financial crime is invoked by the financial crime team to justify the differential monitoring. Using the proportionality framework, assess whether Cornerstone's current threshold structure is likely to satisfy the proportionality requirement. What changes would be needed to make the system proportionate?

4. The FCA's Consumer Duty requires firms to deliver good outcomes for all customers. Design a customer outcome assessment that Elena could use to evaluate whether Cornerstone's AML monitoring programme is producing good outcomes for customers in the affected postcodes, taking into account both the harms of financial crime and the harms of excessive monitoring.

5. Cornerstone's management is considering two remediation options: (a) remove postcode from the monitoring threshold algorithm entirely, or (b) retain postcode but introduce demographic impact monitoring with a requirement to investigate and justify any group-level SAR rate differential exceeding the four-fifths rule threshold. Evaluate the advantages and disadvantages of each option from regulatory compliance, operational risk, and financial crime prevention perspectives. Which would you recommend, and why?

Teaching Notes

This case study is designed to illustrate measurement bias as it operates in practice in AML compliance — one of the areas where algorithmic fairness concerns have received less attention than credit or KYC, but where the potential for harm is substantial.

The central analytic point is the self-reinforcing nature of measurement bias: when monitoring intensity is used as a risk signal, the feedback loop between monitoring and SAR rates can persist and intensify for years, producing data that looks like evidence of elevated risk but is actually evidence of elevated surveillance. Breaking that loop requires the kind of historical trace that Elena undertakes — asking not "what does the data say about risk in these postcodes?" but "what does the data say about how these postcodes have been treated?"

The regulatory tension between AML obligations and Equality Act obligations is intentional. Students should appreciate that these obligations are not simply in conflict — AML monitoring that is calibrated on measurement bias is also less effective at detecting genuine financial crime, because monitoring resources are being concentrated on a population that may not have genuinely elevated risk rather than on genuine indicators of suspicious activity. Good fairness and good financial crime prevention may therefore point in the same direction, rather than being in tension.

The proportionality analysis is a useful framework for helping students think through when differential treatment based on protected-characteristic-correlated proxies can be justified. The key tests are: does the differential treatment achieve the legitimate aim? Is it no more intrusive than necessary? Has the firm considered less discriminatory alternatives? On all three tests, Cornerstone's current system has significant weaknesses.