Back to Blog Listing

The 85% false-positive tax on your AML team

The 85% false-positive tax on your AML team
Kamil Ponicki Jul 4, 2026 4 min read

Written by: Kamil Ponicki, Director of Talent Acquisition, Digital Colliers

Your analysts open an alert, pull three screens of context, decide it's noise, close it, write a note, open the next one. Repeat for eight hours. That's the job at most mid-market banks right now, and it's not a people problem. It's a data problem dressed up as a headcount problem.

The math nobody wants to write down

AML transaction-monitoring false-positive rates sit somewhere between 85% and 95% at typical mid-market banks. That's the ACAMS number, and it's been stable for years. Take the middle of that range and it means for every 100 alerts your team clears, roughly 90 were never crime.

Now price that out. If an analyst handles, say, 30 alerts a day and 27 of them are noise, you're paying a fully-loaded compliance salary to close tickets that a better-tuned system would never have opened. Multiply across the team. Multiply across the year. That's the tax.

And it gets worse under DORA, which has been in force since 17 January 2025. Operational resilience obligations mean you can't just throw contractors at the backlog anymore. Your monitoring stack, your alert pipeline, your evidence trail, all of it is in scope. The regulator now cares whether your controls actually work, not just whether you cleared the queue.

Why suppression rules keep failing

Every CTO I talk to in this space has tried to fix false positives with rule tuning. Raise the threshold on rule 14. Add an exception for corporate customers with turnover above X. Whitelist this counterparty. Six months later the false-positive rate is the same, and now you've got 400 suppression rules nobody wants to touch because the audit trail is a nightmare.

The reason it fails is that suppression rules need context the rules engine doesn't have. To know whether a €50k transfer to Cyprus is suspicious, you need:

  • The customer's KYC file and risk rating
  • Their transaction history across all product lines
  • The counterparty's exposure across the bank's other customers
  • Sanctions and PEP screening state as of the transaction date
  • Any prior SAR filings or investigator notes

Most banks have all of that. It's just in six systems that don't talk to each other. So the rules engine sees a transaction and a threshold, decides it's over, and fires an alert. The context that would kill the alert lives two data warehouses away.

What the teams getting this right actually built

The banks I see making progress on this didn't buy a new monitoring vendor. They spent 12 to 18 months rebuilding the data layer underneath the one they already had. The pattern looks something like:

  1. A single customer view stitched from core banking, KYC, and CRM, refreshed on a known cadence.
  2. Transaction data joined to that view at ingestion, not at query time.
  3. Alert enrichment done before the alert reaches an analyst, so the case file opens with 80% of the context already attached.
  4. Feedback from analyst decisions written back into the model, so the system learns which patterns are actually noise.

None of that is glamorous. It's senior data engineering, careful lineage, and a compliance function that's willing to sit next to engineers for a year. That last part is the piece most programmes underestimate.

It's also why around 95% of enterprise AI projects fail to reach production or ROI. Teams try to bolt an ML classifier onto the existing alert stream without fixing the joins underneath. The model learns from noisy labels, produces noisy predictions, and gets quietly shelved.

Reframing the ROI conversation

The usual pitch for AML modernisation is regulatory. Avoid the fine. And the fines are real. GDPR sits at up to €20M or 4% of global turnover, and the EU AI Act adds up to €15M or 3% for high-risk system violations from December 2027. Compliance leaders know the numbers.

But the honest ROI is operational. Cut your false-positive rate from 90% to 60% and you've handed your analyst team back roughly a third of their week. That's capacity you don't have to hire, capacity that shifts from clearing noise to investigating actual leads. The regulator likes that story too, because it means your controls are getting better, not just bigger.

The cost of inaction isn't a fine. It's paying senior compliance salaries to work as human alert-suppression engines for another three years.

Related Posts