Skip to main content



An Actor is a human or a legal entity involved in a banking transaction: the account holder/customer, bank staff facilitating the transaction or bank database/platform, etc. An Actor can be an originator or Beneficiary when it comes to customers.


The Originator is the account holder or, where there is no account, the person (or legal entity) who places the order with the financial institution to perform the wire transfer.


The Beneficiary is the person (or legal entity) who benefits from a transaction, for example, receiving the proceeds of a wire or a payout from an insurance policy.


An Observation is an element of an institution's anti-money laundering program to identify unusual or suspicious patterns, trends, or outlying transactions that do not fit a typical pattern.


In a Case, the analyst is looking at the parties, accounts, and transactions involved and any outside parties or transactions that might be relevant. Anti-money laundering (AML) Case Management is the critical step where analysts at financial institutions review suspicious activity. The detection rules in an AML system flag all the transactions that meet specific criteria. Then, analysts review those transactions to determine whether they might be criminal activity. Lastly, it files the SAR directly with the Financial Crimes Enforcement Network (FinCEN).


An Alert is a review based on underlying red flags that requires analyst attention.


An Investigation is a process of obtaining, evaluating, recording, and storing information about an individual or legal entity with whom one is conducting business in response to an alert indicating a possible sanctions violation. Investigations often begin with simple checks before progressing to further analysis, such as account review, customer outreach, and possible escalation to the compliance function.

Review Feedback#

The Review Feedback is the process of reviewing the information or facts retrieved through the investigation. As per the investigator's research, the alerted case can be closed, escalated for further review, or reported as false positive.

AML risk-score#

AML Risk-Scoring identifies the areas where business is most vulnerable to money laundering and terrorist financing risks (ML/TF) and helps take the appropriate preventative measures. Risk-Scoring identifies and monitors high-risk countries, products, accounts, and clients from the FI's entire customer base and helps determine the proper level of customer due diligence (CDD) applicable to adhere to regulations, including the revised FATF (Financial Action Task Force) International Standards.

Financial Action Task Force (FATF) is an international policy-making body that sets anti-money laundering standards and counter-terrorist financing measures worldwide.


Behavior is the customer's way of transacting and is lined with historical or expected transactions. During their day-to-day activities, first-line employees may observe unusual or potentially suspicious behavior exhibited by customers. According to policies and procedures, first-line employees are required to be vigilant in their identification, escalation, and reporting of potentially suspicious and or unusual activities.

Knowledge graph#

A Knowledge Graph is a semi-structured data model characterized by three components:

  • a (ground) extensional component (EDB, extensional database), with constructs, namely facts, to represent data in terms of a graph or a generalization thereof;
  • an intentional component (IDB, intentional database), with reasoning, rules over the facts of the ground extensional component;
  • a derived extensional component, the reasoning component, produced in the reasoning process, which applies rules on the ground facts reasoning on a knowledge graph concerns the different ways to traverse it while answering queries, reaching all the interlinked involved entities along different paths, possibly requiring the creation of new parts of the graph: creating new knowledge.

Knowledge Graphs have emerged as an essential tool for AML and transaction monitoring. As money laundering involves cash flow relationships between entities, Knowledge Graphs can capture financial transactions. Examples of graph analytics techniques are clustering and label propagation. Clustering enables focus on investigating specific high-risk sectors while simultaneously reducing the focus on low-risk sectors, providing an efficient allocation of analyst resources, and reducing false positives. Label propagation helps find previously unknowable patterns that may have been missed by analysts in the transaction monitoring process, thereby reducing false negatives.

Suspicious Activity#

Suspicious Activity refers to irregular or questionable customer behavior or action potentially related to money laundering or other criminal offense or the financing of terrorist activity. It may also refer to a transaction that is inconsistent with a customer's known legitimate business, personal activities, or the expected level of activity for that kind of business or account.

KYC Sources#

The first pillar of a KYC compliance policy is the Customer Identification Program (CIP). CIPs verify the customer's identity using credentials like their name, date of birth, address, social security number, or other documents.

The second pillar of KYC compliance policy is Customer Due Diligence (CDD). CDD is a KYC process in which all of a customer's credentials are collected to verify their identity and evaluate their risk profile.

The third pillar of KYC compliance policy is Continuous Monitoring. Checking a customer once isn't sufficient to ensure security. Understanding a customer's typical account activity and monitoring the activity is necessary to catch irregularities and eliminate risks as they arise.

Champion Challenger Models#

Champion and Challenger Models expose the underlying settings, parameters, and code. Though the system is creating the pipeline for the user, the model development process is not a black box and is editable.

Systemic Risk#

Systemic Risk is the disruption to the flow of financial services that is (i) caused by an impairment of all or parts of the financial system, and (ii) has the potential to have serious negative consequences for the real economy.

Behavior Risk#

Behavior Risk determines the risks associated with the behavior of the customer. Simply knowing a customer's occupation or the banking products they use does not necessarily add predictive value to a model. More telling is whether the customer's transaction behavior is in line with what would be expected given the stated occupation or how the customer uses a product.

Evidence shows that customers with deeper banking relationships tend to be lower risk, which means customers with a checking account and other products are less likely to be high risk. The number of in-person visits to a bank might also help determine more accurately whether a customer with a checking account posed a high risk, as would his or her transaction behavior—the number and value of cash transactions and any cross-border activity.

Network Association Risk#

Network analytics examines the connections between related entities to better illuminate relationships. Instead of analyzing an individual, subcomponents of the network are reviewed for similarity to known methods of money laundering and atypical customer behavior. Networks are formed by links between customers and related activity. These (sometimes inferred) links can be internal data, such as account transfers or joint ownership, or external data, such as a shared address or common use of the same ATM.

Network analytics complements existing machine learning and fuzzy logic-based approaches that many banks use for AML monitoring. Network statistics can improve the accuracy of customer risk rating or transaction monitoring models. Fuzzy logic-based methods that resolve customer identities can also be enhanced by looking at how closely accounts are connected. In addition to improving the effectiveness of existing techniques, network analytics provides investigators with new capabilities. For example, community detection algorithms can identify customer groups that could indicate criminal behavior.

Reputation Risk#

Reputation Risk relates to the potential loss of public confidence in an organization's integrity due to unlawful or unethical business practices, whether accurate or not. A money-laundering scandal could even result in banks' customers stopping doing business with them, thereby impacting the bottom line.

AML Risk#

An AML Risk Assessment measures risk exposure. A money laundering risk assessment is an analytical process applied to a business to measure the likelihood or probability that a person (or legal entity) will unwittingly engage in money laundering or financing terrorism. Key Risk Indicator (KRI) is a metric used to measure the likelihood that the combined probability of an event and its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.

Many of the sanctions currently imposed by banking regulators contain provisions that require improvements in risk management programs for AML and The Office of Foreign Assets Control (OFAC) compliance. The starting point of a strong AML risk assessment program should be an accurate and comprehensive AML / OFAC risk assessment.

KYC Risk#

A KYC Risk rating calculates risk: either posed by a specific customer or an institution faces based on its customer portfolio. Most institutions calculate both of these risk ratings as each of them is equally important.

Poor data quality is the single most significant contributor to the poor performance of customer risk-rating models. Incorrect Know-Your-Customer (KYC) information, missing information on company suppliers, and erroneous business descriptions impair the effectiveness of screening tools and needlessly raise the workload of investigation teams. In many institutions, over half the cases reviewed have been labeled high risk simply due to insufficient data quality.

Product Risk#

The Product Risk assessment measures the risk associated with products or services offered to customers. Some products and services offered may have a higher risk assigned, depending on the nature of the product and service, e.g., because they may facilitate anonymity or handling with high volumes of currency.

Geographic Risk#

The Geographic Risk measures the risk exposure by countries. It comprises three financial crime-relevant risk parameters: 

  • Criminal indicators such as corruption indices, political risk maps, countries considered tax havens, countries susceptible to terrorism, etc. 
  • Political factors such as political stability, the rule of law, civil liberties, etc. 
  • The regulatory expectations and requirements of various countries. Based on ML risk perspectives or FATF Mutual Evaluation Reports.

PEP Risk#

The definition of a politically exposed person (PEP) is an individual with a high-profile political role or who has been entrusted with a prominent public function. They present a higher risk of money laundering or terrorist financing because of their position.

According to FATF's International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (2012), there are two types of politically exposed persons (PEPs).

Foreign PEPs: Individuals who are or have been entrusted with prominent public functions by a foreign country (e.g., heads of state or government; senior politicians; senior government, judicial or military officials; senior executives of state-owned corporations, and important political party officials).

Domestic PEPs: Individuals who are or have been entrusted domestically with prominent public functions (e.g., heads of state or government; senior politicians; senior government, judicial or military officials; senior executives of state-owned corporations, and important political party officials).

AML Taxonomies#

AML Taxonomies represent the formal structure of classes or types of objects within the AML domain. A taxonomy follows a hierarchic format and provides names for each object in relation to the other object.


The Narration is a well-structured summary of research findings to help analysts analyze cases more efficiently. The Narration includes five essential elements of information – Who? What? When? Where? and Why?

Behavior Detection#

Behaviors Detection replaces the rule-based approach with an actor-based approach. While a rule-based detection uses singular, expertly chosen data points to flag potentially suspicious activities, Behavior Detection considers the actor's context: the actors' past activity, their peer group, their expected transaction prole, and how the data interplays to conclude. Behavior Detection provides insights on why a case is suspicious, rather than putting this burden on investigators.

Case Management#

Anti-money laundering (AML) Case Management is the critical step where analysts at financial institutions review suspicious activity. The detection mechanisms in an AML system flag all the transactions that meet specific criteria. Then, analysts review those transactions to determine whether they might be criminal activity. The Case Manager provides a dashboard overview of customer KYC, transaction history, and any investigations undertaken or regulatory filings filed on a customer.


The Audit function of a bank reports to the audit committee of the board of directors (or similar oversight body). Its role is to independently evaluate the risk management and controls of the bank through periodic assessments, including the adequacy of the bank's controls to mitigate the identified risks, the effectiveness of the bank's staff's execution of the controls, the efficacy of the compliance oversight and quality controls and the effectiveness of the training.

Workflow (Case)#

A Case Management Workflow is a method of managing and processing a case. It breaks down the tasks needed to resolve a case and maps out their execution from beginning to end.

A typical case workflow used in incident management can have the following steps:

  1. The incident report is received.
  2. The incident is evaluated. If false-positive, end workflow. If valid, proceed to step three.
  3. Email or a ticket is sent to the team in charge.
  4. The team deliberates and decides on the incident report.
  5. The team proposes and applies a solution.
  6. If the solution works, the workflow is completed. If it needs further review, go back to step three four.

This type of case management workflow is highly dynamic and depends on many different factors. It relies on the knowledge worker, the data that emerges, and other unpredictable events. It often requires collaboration between team members, and steps might need repetition frequently.

Case Summary#

After gathering and organizing evidence and evaluating it, the investigator consistently documents the relevant evidence as a Case Summary that includes all the red flags identified in the case.


A Suspicious Activity Report (SAR) is a document that financial institutions, and those associated with their business, must file with the Financial Crimes Enforcement Network (FinCEN) whenever there is a suspected case of money laundering or fraud.

Peer group#

Peer Group Analysis, in layperson's terms, is the grouping of like businesses and entities for the purpose of comparison. From this grouping of like entities, various ratios and statistical methodologies can be applied to determine outliers. Once outliers have been isolated, analysis of these outliers is integral to learn more about the entity and its activity. Ultimately, the goal is to learn more about the business sector or determine whether the outlying activity is a consequence of suspicious activity. Once suspicious activity is determined, the associated data can provide a basis for developing behavioral typologies to find other potentially suspicious activity.

Noise vs. Signal#

The greatest opportunity for application is in the money laundering and terrorist financing transaction monitoring process. Traditional systems detect specific typologies that can be circumvented. Furthermore, the results from these models contain more noise than 'signals of risk' as the net is often cast wide not to miss a potentially suspicious activity.

False Positive#

A False Positive refers to a hit identified during the screening process as a possible alert. However, when reviewed, it is found not to match a target named on a sanctions list, high-risk profile, or outside of a typical transaction.