Artificial Intelligence and Machine Learning
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The past several years have seen a heightened focus on combating money laundering, with a number of jurisdictions implementing new regulations aimed at preventing the flow of illicit funds. These efforts have taken on greater urgency since Russia’s invasion of Ukraine, which helped further expose how wealthy Russians have taken advantage of lenient regulatory regimes in the United Kingdom, the United States and other jurisdictions to invest funds of dubious provenance. In addition to new anti-money laundering (AML) regulations, enforcement efforts against companies (and individuals) involved in money laundering increased in 2022 in several jurisdictions.
Companies, financial institutions in particular, must generally design and implement AML-focused compliance programmes to address the risk that they may process transactions that facilitate money laundering. These programmes generally include, among other measures, ensuring that new and existing clients are not known to present money laundering or terrorist financing risks, and monitoring the transactions of clients to identify transactions of concern. In this context of heightened attention to AML compliance, new, technology-driven methods offer companies more effective and adaptable methods to ensure compliance with an evolving AML regulatory landscape. These methods involve the use of machine learning (ML) to analyse the risks associated with companies’ clients based on those clients’ risk profiles. Organisations can further develop sophisticated ML models that assess patterns or themes in transaction data, reconcile those patterns and themes with the customer types associated with the transactions, and then identify transactions for further review based on deviations from those patterns or themes. As these transactions are continually assessed, the ML can be further ‘trained’ to become more accurate as part of a positive feedback loop.
Organisations with AML risks
Most countries maintain regulatory requirements in some form to ensure that banks and other financial firms implement AML compliance frameworks. Those frameworks will typically comply with recommendations issued by the Financial Action Task Force (FATF), an intergovernmental organisation that publishes anti-money laundering and counter-terrorist financing standards, policies and procedures. The FATF has issued a number of recommendations that set out a comprehensive and consistent framework of measures that countries should implement to combat money laundering. The FATF’s recommendations are concerned mostly with the financial industry – namely, in the banking, insurance, currency exchange and fintech sectors – and a group of industries that it classifies as designated non-financial businesses and professions (DNFBPs).
DNFBPs include real estate agents, casinos, dealers of precious metals, precious stones or other high-value goods (such as art), lawyers, notaries and other independent legal professionals, accountants, and trust and company service providers. DNFBPs are often also referred to as ‘gatekeepers’. If complicit in laundering assets, whether intentionally or through wilful ignorance, they can also be referred to as ‘enablers’ or as ‘professional money launderers’ (PMLs) owing to their role in the financial system and in money laundering schemes. Essentially, these business and professions are often involved in high-value transactions and, crucially, have the ‘professional expertise to perform a specific service to aid their customer in carrying out a tax offence or other financial crime’.
However, although most AML frameworks relate to financial institutions and DNFBPs, other types of businesses also face money-laundering risks. For example, a 2022 US Department of Justice indictment of nine members and associates of the Genovese and Bonanno organised crime families made allegations of racketeering, illegal gambling and money laundering conspiracy in connection with illegal gambling parlours and sports clubs, which are institutions that one could feasibly associate with illegal sports gambling. Also listed in the indictment, however, was a business named Sal’s Shoe Repair, which, as one news report put it, ‘was doing more than fixing heels and worn soles’.
Elements of an AML compliance programme
The FATF, the Organisation for Economic Co-operation and Development and other intergovernmental organisations, along with guidance from national authorities, provide frameworks for organisations’ AML compliance programmes, which should be designed to help uncover suspicious activity associated with criminal acts, including money laundering and terrorist financing. Generally, these programmes should include:
- a compliance officer who is appropriately experienced and competent, and who is supported by the management of the institution;
- an AML training programme that aims to make employees sensitive to AML-related risks at the organisation. The training should also be tailored to the specific responsibilities (and risks) that the employees would face;
- policies and procedures that create a control framework for the organisation’s AML compliance efforts. The framework would typically include a risk-based AML screening programme – know your customer (KYC) – that seeks to ensure an organisation knows the identity and risks associated with customers or other third parties with which it does business. In most instances, customers are risk-scored and the organisation may implement different requirements depending on that risk score;
- a monitoring programme that identifies and reports suspicious transactions, as well as a more general ongoing review that assesses how the AML compliance programme is working in practice;
- a risk analysis programme in which organisations periodically assess their AML-related risks, which they can then work to address through mitigation measures; and
- an independent audit function that tests the implementation of the AML compliance programme.
Certain of these programme requirements can be significantly enhanced through the use of ML-based solutions, notably including programme requirements relating to KYC due diligence reviews, monitoring and risk analyses. As discussed below, these programme elements involve significant data points and algorithmic decision-making that, in many circumstances, can be accomplished more cheaply and effectively through the use of ML.
Use of ML in AML compliance
Background: artificial intelligence versus ML
Advances in recent years in artificial intelligence (AI) and ML have transformed numerous industries, including, in particular, the financial sector. AI and ML are two closely linked concepts, yet distinct in many respects. AI concentrates on the creation of systems capable of performing tasks that normally require human intelligence. These tasks may include understanding natural language, voice recognition, problem-solving and decision-making. The goal of AI is to create systems that can execute these tasks autonomously, without human intervention. ChatGPT, Apple’s virtual assistant Siri and Amazon’s virtual assistant Alexa are well-known examples of efforts to create systems that mimic human responses and are generally classified as AI.
ML, a subfield of AI, focuses on the development of algorithms that allow computers to learn from data. In essence, while AI is the general concept of machines capable of emulating human intelligence, ML is a specific approach to achieving this, focusing on the use of data and algorithms to simulate the learning process. The great benefit of ML is that systems can learn and improve over time by adapting to new inputs without being explicitly programmed to do so.
As discussed below, in an AML context, an ML model is trained on a data set and can subsequently make predictions or decisions based on this data.
Applying ML to AML compliance
Current rules-based approach
Currently, many organisations’ AML compliance programmes identify red flags in customer screening, risk analyses and transaction monitoring through the use of rules that are based on specific scenarios, thresholds or statistical indicators. These rules are created by experts in the industry based on their knowledge and experiences.
For instance, for client screening, a basic rules-based approach would look at certain background information relating to a potential new client, including ensuring that the client does not appear on any sanctions, adverse media, politically exposed persons, regulatory and law enforcement or related lists. Based on this information, the rules-based approach will then look at the customer profile to assess the client’s risk profile. The resulting risk profile determines the scenarios and thresholds that apply to how the client is monitored; for instance, a small local business is unlikely to effect a large international wire transfer to an offshore jurisdiction. Such a transaction would typically be flagged as part of most AML compliance programmes, including a rules-based programme. In this way, the rules-based approach can prove remarkably efficient in identifying common or familiar patterns associated with money laundering activities.
Accordingly, a rules-based AML approach has many advantages, including simplicity and transparency. The approach offers a high level of clarity by explicitly outlining why a particular transaction has been marked as suspicious. It also enables financial institutions to comply with specific regulatory requirements that prescribe predefined criteria for monitoring.
However, the rules-based approach is not without its limitations. One significant drawback is the lack of flexibility of these predefined rules, allowing emerging money laundering methods to sometimes be overlooked. For instance, financial criminals may be able to adapt their behaviour to avoid triggering the rules, with certain suspicious activities slipping under the radar. In addition, the rules-based approach is prone to generating a considerable number of false positives, namely legitimate transactions incorrectly flagged as suspicious, leading to an excessive workload for review teams.
Organisations’ use of ML for the purpose of AML compliance is a relatively recent development. In the mid-2010s, financial institutions began to explore the use of ML to enhance their fraud detection and AML compliance systems. Initial applications of ML predominantly focused on augmenting the accuracy of suspicious transaction detection and minimising the number of false alerts.
Now, the use of ML for AML compliance is commonplace in the financial sector, with ML models becoming increasingly sophisticated and capable of detecting increasingly complex money laundering patterns, minimising false alerts and swiftly adapting detection models to emerging money laundering techniques. For instance, they can learn to spot patterns of transactions often associated with money laundering, such as frequent deposits or withdrawals of amounts just below the reporting threshold, or intricate transactions designed to obscure the origin of funds. ML models can also analyse transaction networks among various accounts, individuals and institutions, which can assist in identifying complex networks that may be used for money laundering. The ML approach can further ensure that the algorithms consistently improve over time, including adjusting to new trends.
Another critical application of ML is in customer risk assessments. In contrast to traditional rules-based approaches, an ML-centric strategy provides an advanced assessment of a client by synthesising the client’s background information with additional data regarding, for instance, geographical location, the nature of the business, sales methods and organisational structure. These insights allow financial institutions to channel their monitoring resources effectively, focusing on high-risk clients.
Indeed, most national AML regulations require that financial institutions’ staff ultimately review and close instances of suspicious activity, including filing suspicious activity reports (SARs) to regulatory authorities when the organisation identifies a financial transaction that (1) does not make sense to the institution, (2) is unusual for a particular client or (3) appears intended to obfuscate another transaction. The decisions about how the organisation treats the suspicious transactions identified – namely whether the organisation determined that the issue identified was a false positive or was sufficiently indicative of potential wrongdoing to report it to regulatory authorities through a SAR – can then be used to improve the accuracy of the ML’s analyses as part of a positive feedback loop.
The ML can further be adjusted to incorporate risks identified from similar organisations or industry trends, including information from subpoenas or requests for information from law regulatory authorities, or enforcement actions taken by those authorities. Ultimately, one of the great strengths of ML in AML compliance is its ability to reduce false positives. ML models are able to learn from past decisions. This learning enables these models to avoid raising alerts for transactions that are legitimate but may have certain markers of standard money laundering patterns.
Risk assessment and internal audit
Further, aside from monitoring individual transactions, ML can also be trained to more generally assess the organisation’s AML-related risks based on the totality of the issues identified from transaction monitoring, as well as from industry trends. This risk assessment can be used to help improve the organisation’s compliance programme, including adjustments to the type of data that the organisation requests from new clients. The risk assessment can also be used to improve the organisation’s internal audit function. In this manner, the organisation can significantly reduce its AML-related risks and more effectively mitigate issues that arise.
Although ML has a host of useful applications in combating money laundering, it also has limitations. First, ML is only as good as the data and models on which it is built and the human input required to build it. ML is not useful when there is not enough existing data to build a robust model; however, obtaining data can be complicated by privacy regulations and the presence of data silos within organisations. For use in AML compliance, ML requires significant input relating to clients and the transactions involving those clients. For organisations that are unable or unwilling to collect this type of client data, including non-financial institutions who may be hesitant to request client information, an ML-based solution may be of limited value. Further, the use of ML may be counterproductive to organisations if it creates a misplaced sense that appropriate AML controls have been implemented. Additionally, models trained on imbalanced data, where legitimate transactions vastly outnumber illicit ones, might struggle to identify the latter accurately.
Further, the ML model must be both properly designed and subject to continued review, assessment and intervention. Overfitting, whereby an ML model performs well on training data but poorly on new, unseen data, can be a problem. This is especially concerning in the context of AML, where the goal is to detect new and evolving money laundering techniques. Additionally, flaws in the input for the ML model can cause too many false positives or, conversely, result in red flags being missed. If the organisation fails to correct these flaws, they can cascade, with the errors building on each other as the ML ‘learns’ the wrong lessons. Achieving an optimal balance between sensitivity and specificity is a persistent challenge in developing ML-based AML systems. Organisations must therefore carefully review the results, including conducting ‘sanity checks’, especially at the beginning of the process when the ML-based models are being developed.
Finally, ML-based solutions must also be explainable, including to regulators. Organisations must be able to demonstrate that their models are effective, reliable and unbiased, a task that may be challenging owing to the ‘black box’ nature of complex ML models. If the organisation’s management does not understand the basic concepts of the technology and how the technology is used, the organisation will be unable to confirm that the processes are appropriately addressing risks. A lack of explainability could then prevent an organisation from ensuring that it complies with applicable laws and regulations. For instance, regulators will want to understand the manner by which SARs are raised and closed, especially in the event that the authorities identify a suspicious transfer that was not flagged.
Efforts to combat money laundering have taken on greater urgency in recent years, with many jurisdictions passing new laws and regulations seeking to reduce the flow of illicit funds and enforcement agencies bringing more actions against institutions deemed to be complicit in money laundering. Russia’s invasion of Ukraine, and the resulting efforts of Western governments to sanction Russian interests, has shined an even brighter light on illicit flows of capital through many Western countries. Accordingly, there is heightened pressure on organisations to design and implement AML-focused compliance programmes to ensure that they minimise the risks of processing illicit transactions.
At the same time, there are ongoing, exponential advances in the use of AI and ML in business applications, particularly when vast amounts of data are involved. In this context, organisations can design and incorporate new, ML-based methods as part of their AML compliance programmes, including using ML to analyse risks as part of client onboarding, to identify and assess suspicious activity in transaction data, and to incorporate data-driven analyses in their ongoing risk assessments. Despite the challenges and limitations inherent in the application of ML to AML compliance, there is no doubt that it has enormous potential for enhancing financial institutions’ AML detection capabilities, efficiency and adaptability. The key will be to continue refining and managing these advanced technologies effectively, thereby ensuring they serve as robust, reliable tools in the continuing battle against financial crime.
 Morgan Heavener and Jean Barrère are partners, Roberto Maluf is a director and Jeremy Sitruk is a senior manager at Accuracy.
 For example, the 2021 US Corporate Treasury Act seeks to prevent money laundering in the United States by creating requirements for US business entities to disclose information relating to their beneficial ownership to the US Department of the Treasury’s Financial Crimes Network (FinCEN). FinCEN issued a final rule relating to implementation of the beneficial ownership rule in September 2022. That rule will take effect on 1 January 2024. The UK government has passed several new regulations, including regulations in 2022 amending the 2017 Money Laundering, Terrorist Financing and Transfer of Funds Regulations (MLR 2017). The 2022 revisions include expanding the categories of persons within the scope of MLR 2017, expanding disclosure requirements relating to cryptocurrency transfers and creating additional regulatory powers for the National Crime Agency.
 See, e.g., Rupert Neate, ‘UK failure to tackle “dirty money” led to it “laundering Russia’s war funds”,’ The Guardian (30 June 2022) (https://www.theguardian.com/business/2022/jun/30/uk-failure-to-tackle-dirty-money-led-to-it-laundering-russias-war-funds (accessed 12 July 2023)).
 For example, the US Office of the Comptroller of the Currency, FinCEN, the Federal Deposit Insurance Corporation and the Federal Reserve finalised 19 money laundering-related enforcement actions in 2022, nearly double the number of such actions in 2021; however, the 19 actions taken were fewer than in 2020.
 Not exclusively, as financial institutions could also operate as professional money launderers; however, this would usually involve a select number of crooked employees colluding with criminals and facilitating the laundering of assets (and not the institution at large).
 Organisation for Economic Co-operation and Development, ‘Ending the Shell Game: Cracking down on the Professionals who enable Tax and White Collar Crimes’ (2021), p. 10 (https://www.oecd.org/tax/crime/ending-the-shell-game-cracking-down-on-the-professionals-who-enable-tax-and-white-collar-crimes.pdf (accessed 12 July 2023)).
 ‘Feds bust alleged Mafia gambling operation posing as shoe repair, coffee shop’, ABC News (16 August 2022) (https://abcnews.go.com/US/feds-bust-alleged-mafia-gambling-operations-posing-shoe/story?id=88452362#:~:text=Sal’s%20Shoe%20Repair%20in%20Merrick,federal%20prosecutors%20in%20Brooklyn%20said (accessed 12 July 2023)).
 Financial Action Task Force (FATF), ‘International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations’, adopted on 16 February 2012 and last updated in February 2023 (https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html (accessed 12 July 2023)).
 In the United States, the Financial Industry Regulatory Authority has published Rule 3310, outlining general requirements for a written anti-money laundering (AML) programme for financial institutions to comply with the requirements of the Bank Secrecy Act and implementing regulations of the US Department of the Treasury (see https://www.finra.org/rules-guidance/rulebooks/finra-rules/3310 (accessed 12 July 2023)). In Europe, Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing requires that financial institutions implement policies and procedures to mitigate money laundering and terrorist financing risks. The European Banking Authority has also recently published guidelines relating to compliance management and the role of the compliance officer (see ‘Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849’ (https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2022/EBA-GL-2022-05%20GLs%20on%20AML%20compliance%20officers/1035126/Guidelines%20on%20AMLCFT%20compliance%20officers.pdf (accessed 12 July 2023)).
 In fact, these well-known examples of artificial intelligence (AI) use enormous amounts of reference data to create processes that mimic human-created content. In this way, one may debate whether they should actually be considered AI rather than a form of machine learning.
 There could also be other regulatory requirements, including data privacy regulations, that might limit the types of data that non-financial institutions can request of clients.