AI in Compliance: How Payment Firms Are Using Machine Learning for AML and Fraud Detection

The AI in compliance conversation has reached the point where it needs to be assessed soberly rather than evangelically. After several years of vendor marketing that has promised that machine learning will solve financial crime, the practical reality is more nuanced: AI and ML tools are genuinely improving certain aspects of AML and fraud detection, they have meaningful limitations in other areas, and the regulatory framework for using them responsibly is still being developed. Understanding where the technology actually helps is more useful than accepting the general premise that AI compliance is the future.

Let me be specific about where machine learning is creating genuine value in compliance operations, where it isn't, and what the FCA and other regulators are currently expecting from firms that use these tools.

Where ML Is Genuinely Effective: Transaction Monitoring

The most mature and well-evidenced application of machine learning in financial crime compliance is transaction monitoring — the process of reviewing payment flows to identify patterns that may indicate money laundering, fraud, or other financial crime.

Traditional rules-based transaction monitoring generates high false positive rates. A rule that flags all transactions above £10,000 to certain jurisdictions will produce a large number of alerts, most of which will be reviewed and closed as legitimate. The compliance overhead of managing these false positives is substantial — each alert requires a human reviewer to assess and document their conclusion. False positive rates of 90-95% are common in conventional systems.

Machine learning transaction monitoring, trained on historical data that includes confirmed suspicious transactions, can identify the combination of factors that actually characterise suspicious behaviour rather than the simple threshold rules that rules-based systems use. This produces substantially lower false positive rates — meaningfully better detection of genuinely suspicious patterns, with fewer alerts for legitimate transactions. For a payment firm processing significant transaction volumes, the reduction in alert investigation overhead is material.

The key caveat is data quality and training set design. An ML model trained on data that reflects historical patterns of confirmed SARs will learn to identify those patterns well. It will be less effective at identifying new typologies that aren't well-represented in the training data. For specialist payment firms serving complex sectors — where the transaction patterns are quite different from retail banking — training data from generic financial services contexts may be poorly calibrated. The model needs to learn what normal looks like for the specific client base, which requires sufficient volume of sector-specific data.

Network Analysis and Entity Resolution

Another area where ML tools are providing genuine value is network analysis — the identification of relationships between entities that may not be apparent from individual transaction review. When an ML system can identify that a group of apparently unrelated customers are all sending funds to the same ultimate beneficiary, or that a set of transactions forms a cyclic pattern consistent with layering, it is surfacing intelligence that rule-based systems and human reviewers working through individual cases would miss.

Graph-based ML approaches are particularly powerful here. Building relationship graphs of counterparties, beneficial owners, and payment flows — and then applying ML to identify anomalous patterns within those graphs — has become a mainstream capability for the better-resourced compliance technology platforms. For payment firms serving business clients with complex counterparty networks, this capability can identify risks that no amount of individual transaction review would catch.

Where AI Falls Short

The areas where AI compliance tools consistently underperform their marketing are the qualitative judgement calls that require genuine understanding of context. Determining whether a transaction is suspicious requires not just the identification of a pattern but an understanding of whether that pattern is explained by the client's legitimate business activity. This is precisely the kind of contextual judgement that the risk-based approach requires, and it is precisely what ML systems struggle to replicate.

The "explainability" problem is also significant from a regulatory perspective. If an ML system flags a transaction and a human reviewer investigates and closes it, the documentation needs to explain why the transaction was not suspicious. "The model gave it a high risk score" is not a sufficient explanation. The reviewer needs to be able to articulate the specific factors that caused the alert and the specific reasons why, on review, those factors were not indicative of suspicious activity. This requires human understanding of both the model's outputs and the business context — it can't be fully automated.

Regulatory Expectations

The FCA's position on ML in compliance is developing. The 2024 guidance on AI in financial services addresses the governance and oversight requirements for firms using ML models in regulated activities. Key requirements: model documentation (what the model does, how it was trained, what its limitations are), model governance (approval process, ongoing monitoring, periodic review), and human oversight (a human must be accountable for decisions made using model outputs, even if the model does the initial assessment).

The FCA is not discouraging ML use in compliance — far from it. But it is clear that "the AI said so" is not an acceptable substitute for human-reviewed, documented decision-making. The tools augment the compliance function; they don't replace the human judgement and accountability that the regulatory framework requires.