If you work in financial crime compliance, you already know the problem: your rule-based AML system generates thousands of alerts per day, 95% of them are false positives, and your investigators spend most of their time clearing noise instead of catching actual laundering. The tools exist to do better. But the landscape is confusing, and most vendor comparisons skip the technical details that actually matter.
Here is the practical breakdown. Five categories of tools detect money laundering patterns in transaction data. Each one has a specific strength and a specific blind spot. Understanding the categories matters more than memorizing vendor names, because the category determines what types of laundering the tool can structurally detect.
The five categories of AML detection tools
Not all AML tools work the same way. The detection approach determines which laundering patterns the tool can catch and which ones it will miss entirely.
1. Rule-based transaction monitoring systems
These are the incumbent tools at most banks: NICE Actimize, SAS AML, Oracle Financial Crime, Norkom. They work by matching transactions against predefined scenarios: amounts above thresholds, transfers to high-risk jurisdictions, velocity spikes, known typology patterns. They are effective for regulatory compliance (CTR filing, OFAC screening) and for catching known laundering patterns.
- Best for: Regulatory compliance (CTR filing, OFAC screening) and catching known, well-documented laundering typologies.
- Watch out for: 95%+ false positive rates. Cannot detect novel patterns. Evaluates transactions in isolation with no network context.
2. Statistical anomaly detection
These tools build baseline behavioral profiles for accounts and flag deviations: unusual transaction volumes, unexpected counterparties, sudden changes in transaction patterns. They catch behavioral shifts that rules miss, like an account that gradually increases its transaction volume over months before a large outflow.
- Best for: Detecting gradual behavioral changes and unusual counterparty patterns that rules with fixed thresholds miss.
- Watch out for: Evaluates accounts individually. Cannot see coordinated behavioral shifts across 30 accounts controlled by the same laundering network.
3. Graph analytics platforms
Quantexa, TigerGraph, Neo4j, and similar tools build entity resolution graphs that connect accounts, individuals, businesses, and addresses. They visualize networks and compute graph metrics (centrality, community detection, path analysis). Investigators use them to explore connections manually. The strength is visibility: analysts can see that Account A connects to Shell Company B through Entity C.
- Best for: Investigation workflow, entity resolution, and building visual evidence for SARs and case management.
- Watch out for: Requires manual investigation. The platform shows you the graph; a human still has to decide what is suspicious. At scale, this creates a bottleneck.
4. ML on flat tables
Feedzai, DataVisor, Hawk.ai, and similar vendors apply supervised ML (typically gradient boosted trees or deep learning) to transaction features: amount, time, counterparty risk score, velocity aggregates. They outperform rules on known fraud patterns and generalize better to variations.
- Best for: Real-time transaction scoring at payment processors. Generalizes better than rules to pattern variations.
- Watch out for: Flat table input (one row per transaction). Layering chains, shell company webs, and coordinated structuring rings are invisible because the model cannot see connections between accounts.
5. Graph ML and relational foundation models
This category reads the full transaction-account-entity graph natively. Instead of flattening relationships into per-row features, graph ML models propagate signals across the network, detecting laundering patterns based on the structure of connections. KumoRFM is a relational foundation model in this category: it reads raw relational tables (accounts, transactions, entities, beneficiaries) and automatically discovers predictive patterns across all connected tables, including multi-hop laundering chains 6-7 hops deep. No graph construction, no feature engineering, no manual investigation bottleneck.
- Best for: Layering chains, structuring rings, shell company networks, trade-based laundering, and any pattern that spans multiple entities and hops.
- Watch out for: Does not replace rule-based systems for regulatory compliance. Regulators still require deterministic rules for CTR filing and OFAC screening. Graph ML augments, not replaces.
Why money laundering is a graph problem
This is the key insight that separates effective AML tools from expensive noise generators. Every major money laundering technique is a pattern in the connections between entities, not a property of any individual transaction.
money_laundering_patterns_graph_structure
| laundering_technique | how_it_works | graph_pattern | visible_in_flat_table |
|---|---|---|---|
| Layering | Moves funds through chains of intermediary accounts to obscure origin | Sequential chain: A -> B -> C -> D -> E with rapid pass-through timing | No - each leg looks like a normal transfer |
| Structuring / Smurfing | Splits large amounts into smaller deposits across multiple accounts to avoid reporting thresholds | Fan-out from source to multiple deposit accounts, all below $10K | Partially - individual deposits flagged but network coordination invisible |
| Shell company networks | Routes funds through webs of corporate entities with obscured ownership | Complex web of entity-to-entity transfers with shared directors/addresses | No - each company-to-company transfer looks legitimate |
| Trade-based laundering | Over/under-invoicing goods between colluding businesses to move value | Invoice network between related businesses with price anomalies vs market | No - requires cross-entity invoice comparison |
| Money mule recruitment | Recruits individuals to receive and forward illicit funds | Hub-and-spoke: central account distributes to multiple mules who forward to collection point | Partially - velocity flags on mule accounts but network structure invisible |
| Round-tripping | Sends funds through a circuit of accounts back to originator to create appearance of legitimate income | Circular flow: A -> B -> C -> D -> A with timing delays at each hop | No - circular path only visible in graph |
Every major laundering technique produces a pattern in the graph of connections between entities. Flat-table tools see individual transactions. Graph-based tools see the structure.
Tool comparison: what each vendor actually does
Here is a direct comparison of major AML detection tools across the dimensions that matter for laundering pattern detection.
aml_tool_comparison
| tool | category | detection_approach | network_analysis | false_positive_reduction | best_for |
|---|---|---|---|---|---|
| NICE Actimize | Rule-based | Scenario matching against predefined typologies | Limited - some link analysis add-ons | Low - 95%+ false positive rate typical | Regulatory compliance, known typologies |
| SAS AML | Rule-based + analytics | Rules plus statistical models on transaction features | Basic network visualization | Moderate - statistical models improve over rules alone | Large banks with existing SAS infrastructure |
| Quantexa | Graph analytics | Entity resolution + network visualization for investigators | Strong - builds entity graphs, computes network metrics | Moderate - better context for analysts reduces manual false positives | Investigation workflow, entity resolution |
| Feedzai | ML on flat tables | Supervised ML on transaction features, real-time scoring | Limited - some graph features can be manually added | Good for known patterns - ML generalizes better than rules | Real-time transaction scoring at payment processors |
| DataVisor | ML on flat tables | Unsupervised + supervised ML on transaction and account features | Limited - detects account clusters but not deep network patterns | Good for account-level fraud, limited on network laundering | Account-level fraud detection, new account screening |
| Hawk.ai | ML on flat tables | ML-augmented transaction monitoring, reduces alert noise | Basic - focuses on transaction-level scoring | Good - ML layer on top of rules reduces false positives by 30-50% | Mid-market banks looking to reduce alert volumes |
| KumoRFM | Graph ML / relational foundation model | Reads raw relational tables, discovers patterns across full entity graph | Native - reads transaction-account-entity-beneficiary graph 6-7 hops deep | Strong - graph context eliminates alerts that lack network evidence | Layering, structuring rings, shell company networks, trade-based laundering |
Comparison across 7 major AML tools. Rule-based systems handle compliance. Flat-table ML improves on rules. Graph ML catches the network-based laundering patterns that other categories miss.
How layering actually works, and why most tools miss it
Layering is the most common sophisticated laundering technique. A criminal moves illicit funds through a series of intermediary accounts, each transfer creating more distance from the original source. By the time the money reaches its destination, it has passed through 4-7 different accounts, possibly across multiple jurisdictions and currencies.
Each individual transfer in a layering chain looks normal. The amounts are not unusual. The counterparties are not on any watchlist. The timing is not suspicious in isolation. A rule-based system sees each leg independently and has no reason to flag it. A flat-table ML model scores each transaction on its own features and reaches the same conclusion: not suspicious.
A graph ML model sees the full chain. It reads that Account A received a large inflow from a high-risk jurisdiction, then sent funds to Account B within 2 hours, B forwarded to C within 4 hours, C split to D and E, and D sent to a cryptocurrency exchange. Each individual transaction was unremarkable. The chain pattern, with rapid pass-through timing and increasing account distance from the source, is the signal. Only a model that reads the graph can see it.
Structuring and smurfing: the coordination problem
Structuring (also called smurfing) involves splitting a large sum into smaller deposits, each below the $10,000 Currency Transaction Report threshold. A single deposit of $9,500 at one bank branch is not suspicious. But 30 deposits of $9,500 across 15 accounts at 8 bank branches within a week, all connected through shared addresses or phone numbers, is textbook structuring.
Rule-based systems catch the obvious cases: the same person making multiple just-below-threshold deposits at the same branch on the same day. They miss the coordinated cases where different people (sometimes recruited mules) make deposits at different branches using different accounts that share non-obvious connections.
The graph reveals what the rules cannot: these 15 accounts share 3 phone numbers, 2 mailing addresses, and were all opened within the same 60-day window. The deposits follow a pattern: each mule deposits at 2-3 branches in a rotation. The graph ML model sees this cluster and the coordinated deposit pattern. The rule-based system sees 30 individual deposits that each look fine on their own.
Shell company networks: where graph ML has the biggest edge
Shell company laundering is the hardest technique for non-graph tools to detect. Money moves through a web of corporate entities with layered ownership, nominee directors, and registered addresses in multiple jurisdictions. Each entity-to-entity transfer is documented as a legitimate business transaction: consulting fees, licensing payments, intercompany loans.
Graph ML traces the ownership connections (shared directors, shared addresses, shared formation agents), the transaction flows between entities, and the timing patterns that indicate coordinated movement rather than legitimate business activity. It can identify that 12 companies in 4 countries share 2 directors and a formation agent, and that funds flow through them in a pattern consistent with layering rather than genuine commercial activity.
Traditional AML detection
- Rule-based alerts: flag transactions above thresholds, to high-risk jurisdictions, matching known typologies
- 95%+ false positive rate - investigators drown in noise
- Each transaction evaluated in isolation - no network context
- ML on flat tables improves accuracy but still blind to multi-hop patterns
- Graph analytics require manual investigation - analysts explore networks one at a time
- Layering, structuring rings, shell company webs go undetected until reported externally
Graph ML AML detection (KumoRFM)
- Reads full transaction-account-entity-beneficiary graph natively
- Traces laundering patterns 6-7 hops deep automatically
- Evaluates each transaction in context of its network neighborhood
- Catches layering chains, structuring rings, shell company webs, round-tripping
- No graph construction, no feature engineering, no manual investigation bottleneck
- Significantly reduces false positives by distinguishing legitimate high-activity accounts from laundering structures
PQL Query
PREDICT is_suspicious FOR EACH transactions.transaction_id WHERE transactions.amount > 1000
One PQL query replaces the full AML detection pipeline: rule configuration, feature engineering, graph construction, and model training. KumoRFM reads raw accounts, transactions, entities, and beneficiary tables directly and discovers laundering patterns across the full entity network.
Output
| transaction_id | suspicious_prob_kumo | suspicious_prob_rules | network_evidence |
|---|---|---|---|
| TXN-44201 | 0.92 | 0.10 | Part of 5-hop layering chain from high-risk jurisdiction |
| TXN-44202 | 0.87 | 0.65 | Structuring ring: 12 accounts, 3 shared phone numbers, coordinated deposits |
| TXN-44203 | 0.78 | 0.05 | Shell company web: 4 entities share 2 directors, round-trip flow detected |
| TXN-44204 | 0.03 | 0.72 | Rules flag high amount but graph shows legitimate supplier payment pattern |
Building a layered AML detection architecture
No single tool handles all AML requirements. Regulators expect rule-based monitoring for specific scenarios. Investigators need graph visualization for case management. And the laundering patterns that actually cause financial losses require graph ML to detect. Here is how the layers fit together:
- Layer 1: Regulatory compliance rules. Keep NICE Actimize, SAS AML, or your existing rule-based system for CTR filing, OFAC screening, and mandated scenario-based monitoring. These are non-negotiable regulatory requirements.
- Layer 2: ML-based alert prioritization. Add an ML scoring layer (Feedzai, Hawk.ai, or similar) to prioritize rule-generated alerts and reduce the 95% false positive burden on investigators. This typically cuts alert volumes by 30-50%.
- Layer 3: Graph ML for network-based detection. Deploy KumoRFM or equivalent graph ML to detect laundering patterns that rules and flat-table ML structurally cannot see: layering chains, structuring rings, shell company networks, trade-based laundering. This is where the highest-value catches happen because these patterns represent the most sophisticated and highest-volume laundering operations.
- Layer 4: Investigation and case management. Use graph analytics (Quantexa, TigerGraph) for investigator workflow: visualizing entity networks, documenting connections, building cases for SARs filing. Graph ML provides the initial detection; graph analytics supports the human investigation.
The benchmark evidence
AML detection tasks share the same data structure as other enterprise prediction problems: multiple related tables (accounts, transactions, entities, jurisdictions) where the predictive signal lives in the relationships between tables. The benchmarks that test multi-table prediction directly measure AML-relevant capability.
sap_salt_benchmark_aml_relevant
| approach | accuracy | what_it_means_for_aml |
|---|---|---|
| LLM + AutoML | 63% | Language model generates features from table descriptions, AutoML selects model. Misses relational patterns entirely. |
| PhD Data Scientist + XGBoost | 75% | Expert manually engineers cross-table features for weeks. Captures some relational signal but limited to 1-2 hops. |
| KumoRFM (zero-shot) | 91% | Reads relational tables directly. Discovers multi-hop patterns automatically. No feature engineering required. |
SAP SALT benchmark: KumoRFM outperforms expert-tuned XGBoost by 16 percentage points on multi-table prediction tasks. The 91% vs 75% gap comes from relational patterns that flat feature tables structurally cannot contain.
relbench_benchmark_aml
| approach | AUROC | feature_engineering_time |
|---|---|---|
| LightGBM + manual features | 62.44 | 12.3 hours per task |
| KumoRFM zero-shot | 76.71 | ~1 second |
| KumoRFM fine-tuned | 81.14 | Minutes |
RelBench benchmark across 7 databases and 30 tasks: KumoRFM zero-shot outperforms manually engineered LightGBM by 14+ AUROC points. Fine-tuning pushes the gap to nearly 19 points.