A new research paper identifies ways technologies like Artificial Intelligence (AI) and Machine Learning can address shortcomings in anti-money laundering (AML) enforcement. Next generation AML solutions: An analysis of AI-based tools vis-a-vis the reform of the European AML institutional and substantive architecture, authored by Yaron Hazan, ThetaRay’s vice president of regulatory affairs and an advisory board member at the AI APAC Institute, and Andrea Minto, a Professor of Law and Regulation of Financial Markets at Ca’ Foscari University of Venice and at the University of Stavanger – School of Business and Law, has clear implications for enforcement agencies worldwide.
Through a regtech literature review and comparative regulatory assessment, Hazan and Minto see AI not just as a compliance aid, but as a “transformative organizational instrument.” As regulators more closely focus on risk-sensitive AML internal governance, AI will become a necessity, but there are challenges ahead.
As AML responsibilities grow, better technology is needed to catch up
AML and related legislation has become more wide-ranging and complex, especially in the European Union. Despite good intentions, several scandals and bank failures reveal a misalignment between regulator’s expectations, supervisory methods and compliance standards. Inefficiencies, scattershot enforcement, and even a lack of consensus on what “effective compliance” even means hinder progress. Criminals consistently exploit this gap.
Hazan, a former Israeli police officer and counter-terrorist financing expert who developed the first successful financial prosecution against Hamas, said he and Minto wrote the paper because they saw how poorly AI legislation and regulations are designed. Implementation and outcomes are no better. The pair took an academic approach by analyzing data and research from legal and practical perspectives.
Regulators have always struggled to keep pace with rapidly developing technologies. Criminals, however, are historically early adopters.
“The bad guys do not sit aside and wait to see what the regulators and the banks will do,” Hazan said. “They always use the best technology, and the best means they can afford to bypass the controls and to bypass the systems. And unfortunately, it’s still very easy. If I would have been on the other side, it would have been so easy to trick the system and to do whatever I wanted.
“They use whatever they can to bypass, steal and launder money to support human trafficking, drug trafficking, terrorist financing. It’s easy for them. We have the tools and capabilities in humanity, in the industry, in the financial system, to be much better and to be few steps ahead, at least from what we are today. And for various reasons, we are not there. We are not there at all.”
The AML technology gap explained
Why are regulators and industry so far behind? Hazan said it begins with a historical misalignment of purposes. Governments regulate, while banks provide services to make money. The two must collaborate so they can work in unison.
Legislation evolving from 9/11 and subsequent bank failures caused a focus shift toward anti-terrorism financing. Financial institutions spent large on security.
However, the shift was slow, as conservative regimes like the United States still prioritized compliance and wanted to prevent move bank failures. The increased onus caused financial institutions to satisfy regulators, not to detect crime.
“Most of the organizations and the regulators are focused on the process and not on the outcomes, and that’s an inherent problem with the way all the AML regime was designed for the last two decades,” Hazan said. “I think it’s also reluctance to change, and they’re afraid. It’s a fear atmosphere. They’re afraid to do something because maybe the regulator would not like it.”
That process focus is reflected in several recent steps the EU has taken. The “AML Package” proposes the creation of a centralized Anti-Money Laundering Authority and the harmonization of obligations throughout member states. Concurrently, the EU’s Artificial Intelligence Act takes a horizontal approach by categorizing AI systems according to their risk profiles and applying tight obligations on high-risk applications.
The EU can be forgiven for thinking that anything will help. Consider the following:
- According to the FATF, 97% of 120 assessed countries have a low to moderate effectiveness rating for preventing money laundering and terrorist financing.
- Roughly 10% of cases reported to LEA lead to action.
- The 2022 Germany FIU report found that only 15% of SARs were investigated by law enforcement authorities, and 95% of forwarded cases ended without prosecution.
“Yet, despite this proliferation of normative frameworks, repeated evaluations and thematic reviews revealed that AML regimes across jurisdictions suffered from endemic weaknesses,” the report states. “The literature and official reports converge on a central insight: compliance has expanded dramatically in its formal dimension, but its effectiveness remains uncertain.
“In practice, mutual evaluation reports and thematic reviews demonstrate that obligated entities, under supervisory pressure, often default to over-reporting rather than risk-sensitive detection. The system thereby drifts into what the Wolfsberg Group has characterized as ‘process-driven compliance,’ producing suspicious transaction reports (STRs) of limited investigative utility.”
Hazan said the ecosystem looked in the wrong places instead of focusing on key signals that could suggest crime. A related problem is siloed internal processes that analyze AML, KYC and customers separately, instead of combining them.
“Only now we work with some banks that merge KYC, customer risk assessment and transaction monitoring, and behavioral analysis,” Hazan said. “Only now.”
National-level silos are also harming enforcement. Hazan and Minto said the lack of reliable cross-border data reduces monitoring to a “blunt instrument, generating high false-positive rates, straining institutional resources, and producing STRs that law enforcement agencies themselves often deem of limited value.” Institutions, particularly those operating across borders face obligations well beyond their capabilities to respond.
How AI, blockchains, SSIDs and data anonymization can help AML
So how does AI help? Hazan and Minto said in financial crime several data elements combine to form a behavior. Can rules be established that evaluate such behaviours against pre-defined thresholds?
AI can simultaneously evaluate multiple dimensions while meeting common bank due diligence requirements.
Governments are clearly involved. Can they be involved in more productive ways like encouraging sandboxes? Hazan said then UK’s Financial Conduct Authority is doing that. Sandboxes get financial institutions, lawyers, consultants and regulators together.
Hazan said that at the beginning, the anonymity of cryptocurrencies attracted criminals. As the technology becomes more understood, industry participants can benefit from better transparency than SWIFT.
Can data anonymization and self-sovereign IDs be leveraged? Hazan said they can. French regulators conducted an experiment that used data from multiple banks to identify patterns that all benefited from without exposing end users.
The transparency level expected in finance often supersedes the level required in human resources and many product and service sales. Hazan said more freedom of use when attempting to prevent financial crime would help enforcement narrow the gap between them and criminals. Criminals are already using these tools; let’s use them on the other side just as well and develop appropriate restrictions as we go.
“Fintech and bad guys, they run really, really fast, and regtech and the use of defence mechanisms goes very, very slow,” Hazan concluded.