The global AML compliance market costs financial institutions an estimated $274 billion annually, according to LexisNexis Risk Solutions. The majority of that spend goes to one activity: investigating false positive alerts. At major banks, compliance teams of 2,000-5,000 analysts review alerts that are 99% noise. The analysts are expensive. The process is slow. And the criminals have learned to avoid the rules.
Meanwhile, the UN estimates that $800 billion to $2 trillion is laundered globally each year. Less than 1% of illicit financial flows are detected and seized. The current system is simultaneously too sensitive (too many false positives) and too blind (too many missed laundering schemes). Both problems stem from the same root cause: rule-based detection that looks at individual transactions rather than the network.
transaction_alerts (sample week)
| alert_id | account | trigger_rule | amount | destination | outcome |
|---|---|---|---|---|---|
| A-7701 | Acct-44921 | Wire > $10K | $14,200 | London, UK | False positive (supplier payment) |
| A-7702 | Acct-88103 | High-risk jurisdiction | $3,100 | Cyprus | False positive (family remittance) |
| A-7703 | Acct-22017 | Structuring (<$10K x3) | $9,800 x3 | Domestic | SAR filed |
| A-7704 | Acct-55640 | Flow-through activity | $87,000 in/out | Shell Corp A > B > C | Missed (closed as FP) |
| A-7705 | Acct-91284 | Wire > $10K | $11,500 | Singapore | False positive (trade payment) |
Highlighted: A-7704 is a genuine layering operation through 3 shell companies. The analyst closed it as a false positive because the individual transactions looked normal. The suspicious pattern is only visible at the network level.
alert_volume_breakdown (monthly)
| category | alerts | false_positive_rate | avg_investigation_hours | annual_cost |
|---|---|---|---|---|
| Wire threshold | 42,000 | 97.2% | 3.5 hrs | $11.0M |
| Structuring | 18,500 | 94.1% | 4.2 hrs | $5.8M |
| High-risk jurisdiction | 24,000 | 96.8% | 2.8 hrs | $5.0M |
| Flow-through | 8,200 | 91.3% | 6.1 hrs | $3.7M |
| Profile mismatch | 12,300 | 93.7% | 3.9 hrs | $3.6M |
| Total | 105,000 | 95.4% | 3.8 hrs | $29.1M |
105,000 alerts per month. 95.4% are false positives. $29.1M per year in investigation costs, mostly spent on legitimate activity that triggered threshold rules.
How rule-based AML works
A transaction monitoring system (TMS) applies a set of rules, called scenarios, to every transaction. Common scenarios include:
- Cash transactions exceeding $10,000 (the BSA reporting threshold)
- Multiple transactions just below $10,000 within a time window (structuring)
- Transfers to or from high-risk jurisdictions
- Rapid movement of funds through an account (flow-through activity)
- Activity inconsistent with the customer's stated profile (occupation, income, expected transaction volume)
When a transaction matches a scenario, the system generates an alert. A Level 1 analyst reviews the alert and either closes it as a false positive or escalates it. A Level 2 analyst investigates escalated cases and either closes them or files a Suspicious Activity Report (SAR). The entire process takes 2-8 hours per alert.
The fundamental problem is that the rules are designed to be inclusive. Regulators penalize banks for missed suspicious activity far more severely than for over-reporting. So banks set thresholds low and scenarios broad, knowing that the result will be a flood of false positives that analysts must wade through.
The numbers are brutal
At large banks, TMS systems generate 50,000 to 200,000 alerts per month. Between 95% and 99% are false positives. Each alert requires 2-8 hours of analyst time. At an average cost of $75 per analyst-hour, the false positive investigation cost alone is $7.5 million to $120 million per year per major bank.
This is not just expensive. It is counterproductive. When 95% of alerts are noise, analysts develop alert fatigue. They spend less time on each case. Genuine suspicious activity embedded in the flood of false positives receives the same cursory review as everything else. The system optimizes for volume processed, not for crime detected.
Why money laundering is a network problem
Money laundering has three stages: placement (getting illicit cash into the financial system), layering (moving money through transactions to obscure its origin), and integration (converting laundered money into legitimate assets). Each stage involves networks of accounts, entities, and transactions.
Layering is graph topology
The core of money laundering is layering: moving funds through a series of transactions to create distance between the source and the final destination. A simple layering scheme might route funds through 5-10 accounts across 3-4 banks. A sophisticated scheme uses dozens of shell companies, correspondent banking relationships, and trade finance transactions.
layering_chain: Alert A-7704 (missed by rules)
| hop | from | to | amount | date | rule_triggered |
|---|---|---|---|---|---|
| 1 | Acct-55640 | Shell Corp A (Cyprus) | $87,000 | Mar 1 | No (under wire review threshold) |
| 2 | Shell Corp A | Shell Corp B (BVI) | $85,300 | Mar 2 | No (different bank) |
| 3 | Shell Corp B | Shell Corp C (Estonia) | $83,600 | Mar 3 | No (different bank) |
| 4 | Shell Corp C | Real Estate LLC (Miami) | $81,900 | Mar 5 | No (domestic transfer) |
Highlighted: $87K moved through 3 shell companies across 3 jurisdictions in 5 days, losing $5,100 in fees at each hop. Each individual transaction was unremarkable. The 4-hop layering chain is only visible when you trace the full network path.
flat_alert_view (what each bank's TMS sees)
| bank | transaction_seen | amount | rule_check | alert |
|---|---|---|---|---|
| Bank 1 | Acct-55640 to Shell Corp A | $87,000 | Under $100K wire threshold | No alert |
| Bank 2 | Shell Corp A to Shell Corp B | $85,300 | Normal B2B wire | No alert |
| Bank 3 | Shell Corp B to Shell Corp C | $83,600 | Normal B2B wire | No alert |
| Bank 4 | Shell Corp C to Real Estate LLC | $81,900 | Domestic wire, documented | No alert |
Each bank sees one transaction in isolation. No single transaction triggers any rule. The 4-hop layering chain is invisible because no bank has a view of the full network. Graph ML operating on the transaction network traces the complete path.
Rule-based systems see each transaction individually. They can flag a single transaction as "large wire transfer to high-risk jurisdiction." But they cannot see that this transaction is one step in a 7-hop chain that starts at a sanctioned entity and ends at a real estate purchase, passing through 5 shell companies in 3 countries.
Structuring is coordinated behavior
Structuring (breaking large transactions into smaller ones to avoid reporting thresholds) is easy to detect when one person does it with one account. It is much harder to detect when multiple people use multiple accounts in a coordinated pattern. Ten people each depositing $9,000 at different branches on different days, all controlled by the same entity, looks like ten unrelated transactions to a rule-based system. It is one structuring operation visible only at the network level.
coordinated_structuring (single controller, multiple accounts)
| date | depositor | branch | amount | account_holder | controller |
|---|---|---|---|---|---|
| Mar 3 | Person A | Branch 12 | $9,400 | Acct-22017 | Entity X |
| Mar 5 | Person B | Branch 7 | $9,200 | Acct-22018 | Entity X |
| Mar 7 | Person C | Branch 19 | $8,800 | Acct-22019 | Entity X |
| Mar 10 | Person D | Branch 3 | $9,600 | Acct-22020 | Entity X |
| Mar 12 | Person A | Branch 22 | $9,100 | Acct-22017 | Entity X |
Five deposits, four different people, five different branches, all under $10K. Total: $46,100 deposited in 10 days. Each deposit looks routine. The coordination (same beneficial owner, staggered timing, rotating branches) is only visible at the network level.
Shell company networks
Shell companies are the backbone of sophisticated laundering. They are legitimate-looking entities with bank accounts, tax IDs, and registered agents, but no real operations. Detecting shell companies from individual transaction data is nearly impossible. Detecting them from network structure is much more tractable: they have high transaction velocity relative to their stated business, they connect to other high-risk entities, and their beneficial ownership network has distinctive topology.
Rule-based AML
- Evaluates each transaction against fixed threshold rules
- 95-99% false positive rate across 50K-200K monthly alerts
- Cannot see multi-hop layering through shell networks
- Misses coordinated structuring across multiple accounts
- Criminals learn the rules and design around them
Graph ML AML
- Analyzes the full transaction network as a connected graph
- Reduces false positives by 40-60% while improving detection
- Traces fund flows through multi-hop layering chains
- Detects coordinated behavior across related accounts
- Learns evolving patterns that rules cannot anticipate
How graph ML transforms AML detection
Graph ML represents the financial system as a network: accounts are nodes, transactions are edges, and entities (people, companies) are connected to their accounts. The model learns patterns from the structure of this network, not from individual transaction attributes.
Network-level suspicious patterns
The model learns that certain network topologies are associated with laundering. Circular fund flows (A sends to B, B sends to C, C sends to A) are suspicious. Star networks where a single account receives from many sources and sends to a single destination are suspicious. Chains with progressively smaller amounts at each hop (suggesting commission-taking intermediaries) are suspicious. These patterns are defined by graph structure, not transaction attributes.
Entity behavioral profiles
Graph ML builds a behavioral profile for each entity based on their position in the network: who they transact with, when, how much, and how their pattern compares to similar entities. A business that claims to be a restaurant but has a transaction profile that matches known shell companies (high wire transfer volume, no supplier payments, no payroll) is anomalous in the graph even if no individual transaction triggers a rule.
Temporal evolution of risk
The model tracks how network patterns change over time. An account that transitions from normal retail activity to high-velocity wire transfers over a 4-week period is exhibiting a pattern that precedes many SAR filings. The temporal dimension captures the evolution of risk that static rules miss.
Results from deployed systems
Banks that have deployed graph ML for AML report consistent results across multiple metrics.
False positive reduction of 40-60%. The model suppresses alerts where the full network context indicates legitimate activity, even though individual transactions match rule-based scenarios. At a bank with 100,000 monthly alerts at 95% false positive rate, a 50% reduction in false positives eliminates 47,500 unnecessary investigations per month.
SAR quality improvement. When the model does generate an alert, it provides the network context: the full transaction chain, related entities, similar historical cases, and the specific network patterns that triggered the alert. Investigators file more detailed, higher-quality SARs with less manual research.
New typology detection. Graph models have identified laundering patterns that rules were not designed to catch. In one deployment, the model detected a trade-based laundering scheme involving systematic over-invoicing across a network of import-export companies. No individual transaction was suspicious. The pattern was only visible at the network level.
PQL Query
PREDICT suspicious_activity FOR EACH accounts.account_id WHERE accounts.status = 'active'
Score every active account for suspicious activity based on the full transaction network: fund flow topology, entity behavioral profiles, temporal velocity changes, and cross-account coordination patterns.
Output
| account_id | risk_score | pattern_type | network_depth | action |
|---|---|---|---|---|
| Acct-55640 | 0.94 | Layering (3-hop shell network) | 7 accounts, 3 entities | Escalate to L2 |
| Acct-22017 | 0.88 | Structuring (coordinated) | 4 accounts, 1 controller | SAR review |
| Acct-44921 | 0.06 | Normal supplier payments | 2 accounts, recurring | Suppress alert |
| Acct-88103 | 0.04 | Regular family remittance | 2 accounts, monthly | Suppress alert |
| Acct-91284 | 0.03 | Normal trade payment | 3 accounts, documented | Suppress alert |
The foundation model approach
Traditional graph ML for AML requires training a custom model on the bank's transaction data, which means labeled examples of known suspicious activity (SARs and confirmed cases), feature engineering on the graph structure, and 6-12 months of development and validation.
KumoRFM applies a foundation model approach. The model is pre-trained on relational patterns across thousands of databases, including transaction networks, temporal behavioral dynamics, and entity relationship structures. It has already learned the universal patterns that characterize suspicious financial activity: anomalous network topology, velocity changes, circular flows, and entity behavioral inconsistencies.
A bank connects its transaction database and writes a predictive query:
PREDICT suspicious_activity FOR accounts
The model returns a risk score for every account based on the full relational context of the transaction network. No feature engineering, no labeled training data from historical SARs, no custom model. The pre-trained understanding of relational patterns transfers to the bank's specific data.
The compliance cost savings alone justify the approach. Cutting false positive investigations by 50% at a major bank saves $30-60 million per year in analyst costs. The improved detection of sophisticated laundering schemes that rules miss reduces regulatory risk, where a single BSA/AML enforcement action averages $18 million in fines according to FinCEN data, with some reaching into the billions.
The criminals are operating on the network. The detection systems should be too.