Real-time AML: Risks & Pitfalls To Avoid

Real-time AML has been talked about for many years. But three key drivers are making real-time AML much more important today than ever before: 

1. Real-time AML is the only way to really prevent criminals from enjoying the financial benefits of their crimes 

2. Technology, and especially AI, is increasing the accuracy of risk detection, making real-time AML much more achievable—particularly if financial institutions can focus real-time action on high-risk customers 

3. Regulation already in place makes it clear that real-time AML detection is required 

Real-time AML certainly brings challenges, and the purpose of this article is to explore those in some depth. But it’s also important to recognize that the move to real-time AML is inevitable and those challenges will need to be addressed.

 In this article, we explain: 

1. What has prevented real-time AML until now?
2. Why do we need real-time AML?
3. Why is now the time for real-time AML?
4. The risks of real-time AML
5. The potential pitfalls of real-time AML
6. What financial institutions should do today to get started with real-time AML 

What has prevented real-time AML until now? 

The traditional approach to AML has been to ‘observe and report’. Financial institutions observe potentially suspicious activity and then report it to local financial intelligence units around the world, who then sift that information, join the dots, and pass the intelligence on to law enforcement. 

But while that process is happening, the laundered money is likely hopping through different financial institutions, regions and countries. And by the time the law enforcement agencies get involved, there’s often little chance of getting the money back. 

So while we’ve become quite effective at reporting money-laundering, we’ve been less good at actually stopping it. 

Why do we need real-time AML? 

1. Preventing criminals from profiting 

The primary goal of real-time AML is to prevent criminals from enjoying the benefits of their crimes. An upstream predicate offence, whether fraud or drug dealing or another criminal offence, will generate illicit funds. The criminals need to hide their connection to those funds, but they still want access to the gains. By intercepting suspicious transactions in real time, financial institutions can prevent criminals from benefiting—effectively stopping them before they cash out. Without real-time intervention, authorities may eventually catch up, but by then, the money may already be spent or well hidden. 

2. Protecting banks and other firms from liability 

In jurisdictions like the UK, the Defence Against Money Laundering (DAML) regime mandates that banks report suspected money laundering to the National Crime Agency (NCA). The NCA then decides whether funds can be released or must be frozen. Failure to act swiftly can result in prosecution for facilitating money laundering. Real-time AML capabilities allow financial institutions to block suspicious transactions immediately, reducing legal and reputational risk. 

3. Preventing financial losses 

To use another UK example; new regulations on Authorized Push Payment (APP) fraud hold banks accountable for reimbursing victims of scams. Under these rules, the bank that receives fraudulent funds is responsible for 50% of the refund. Real-time AML systems can detect suspicious funds arriving in an account, giving the opportunity to prevent the onward transfer of the money to the criminal network. This not only protects customers but also saves financial institutions significant sums by reducing reimbursement obligations. 

4. Securing more time to review complex transactions  

Transactions can be complex, often crossing jurisdictions, and there can be insufficient information to enable a good risk-based judgement on whether to proceed. If banks can interdict those transactions in real time and stop or pause them while more information is gathered, the organization is exposed to less risk. 

5. Real-time is easier for some organizations 

Some firms, particularly in payments, use real-time methods from the ground up. It's easier for them to operate in real time—the alternative is to build out a batch process to review transactional behavior over a period of days or weeks and that takes time and costs money. 

Why is now the time for real-time AML? 

There are currently two key drivers for real-time AML: 

1. Regulation 

2. Technology/AI improvements   

Regulation around real-time AML

 Many regulators have already emphasized the need for real-time AML. A few examples:   

• 2015 - 4th EU Money Laundering Directive (EU) 2015/849 Article 35: “Member States shall require obliged entities to refrain from carrying out transactions which they know or suspect to be related to proceeds of criminal activity or to terrorist financing until they have …complied with any further specific instructions from the FIU or the competent authorities.” To fulfil this properly, real-time monitoring is needed.  

• 2021 European Banking Authority Guidelines – Customer Due Diligence, Article 17/18: “[f]irms should in any case determine which transactions they will monitor in real time, and which transactions they will monitor ex-post. As part of this, firms should determine

  - which high-risk factors, or combination of high-risk factors, will always trigger real-time monitoring; 

  - which transactions associated with higher ML/TF risk are monitored in real time, in particular those where the risk associated with the business relationship is already increased. 
  
  18a)(2) correspondents should apply one or more of the following: Real-time monitoring of transactions is one of the EDD measures banks should consider in situations where the ML/TF risk is particularly increased.” 
   

• FATF has also issued a recent consultation paper outlining a revision of their recommendation 16, which suggests that real time monitoring should be used.  

Technology improvements—how AI is enabling real-time AML 

In a traditional AML set-up, huge quantities of false positives are caused by low quality transaction monitoring alerts—in some systems, 70-80% of alerts are false positives.   

If financial institutions freeze every transaction that alerted, the inconvenience to customers would be huge, creating a reputational risk.  

But in an AI-powered world, financial crime detection has improved significantly—we can now detect risk much more precisely and with less uncertainty.  

By combining detection accuracy with the ability to segment higher risk customers, banks can intervene in certain cases with confidence. 

The risks of real-time AML 

These include: 

1. Stopping legitimate payments. There is an economic and societal impact of stopping legitimate payments. As payments have become instant, customers have an expectation for (and often rely on) fast, hassle-free payment processing. Pausing or stopping payments can cause friction and reputational damage.
2. Tipping off. If you suspend funds for a customer then you need to be able to explain why it has happened. If that's not handled well by your front-line staff, you could expose your organization to the risk of tipping off—that is, alerting a criminal actor to the potential that they are being investigated. Tipping off is a criminal offence, so the operational aspects need careful consideration. 

3. Increased workload. If real-time monitoring is not implemented with care, there is a risk of an increased operational workload. In the next section, we look at two specific cases of how this can happen.  

Pitfalls to avoid when implementing real-time AML  

It’s important to recognize the differences between engineering a real-time system and a batch-based system.  

A batch-based system - where alerts are typically generated on a daily, weekly or even a monthly basis – can offer some advantages: 

• It creates a ‘peaky’ workload, which enables machines to be maintained and upgraded without interrupting your processes
• Batch requires a lot of ETL activities, merging and joining datasets to produce the information for the batch to run – this is different in a real-time system
• You can operate batch-to-batch comparisons, comparing today’s batch against last week’s batch for example, which is again different with a real-time system 

However, a batch-based system doesn't offer you the ability to intervene and interdict on those payments. 

Real-time means dealing with a continual stream of transactions.  

• Machines need to be available 24/7
• Transactions need to be processed individually
• Comparisons in a real-time system are typically presented as a rolling time window—for example looking at the previous seven days from the point at which you execute the transaction.  

The importance of data presentation in real-time AML 

One of the biggest pitfalls with real-time processing can come if there are mistakes in the data. Here’s an example: 

Imagine a volume-based rule that triggers an alert if the sum of the last four transactions for a specific customer is greater than $350.  

The top line in this diagram shows those transactions being submitted in chronological order. The first transaction occurs on Jan 1, then a second on Jan 2, and a third on Jan 3. Finally, the fourth one on Jan 4.

The fourth transaction triggers the alert, as the sum is $400 so clearly greater than $350. The risk is detected. 

But what if the order of the transactions is incorrect? The second line of the diagram shows the transaction of Jan 4 being logged incorrectly as the third transaction. When that transaction is processed, the total is $300 so the rule doesn’t fire. It's therefore important that transactions are submitted in chronological order in a real-time operation. Many organizations don't submit their data in order and in a batch-based world, the impact is minimal. In a real-time scenario, it matters.   

Case management in real-time AML 

Another operational challenge is in deciding how to handle repeat alerts for a specific customer over time. 

Imagine a scenario where six alerts come in relating to one customer. 

One option is to work each alert as it is raised. However, this would involve looking at six alerts individually, starting with alert one and then starting again with alert two and so on.  

Instead, alerts could be grouped together for the analysts. The challenge with a real-time system is in deciding when the work should begin—after the first two alerts? After three?  

How can financial institutions get started with real-time AML?  

There are a number of steps that financial institutions can take to get started with AML:

• Identify higher risk customers & scenarios
• Build a data presentation pipeline
• Prove high detection accuracy
• Ensure system availability
• Define operating model 

More on real-time AML:

• Sign up to our monthly newsletter, The Audit, on LinkedIn
• Read more on how Hawk was recognized as a leader in real-time transaction monitoring by Chartis