Anti-Money Laundering (AML) is an area where the cost of error is critical. Missing a suspicious transfer (false negative) risks fines of up to 5% of turnover under Federal Law 115. Blocking a legitimate customer (false positive) leads to reputational damage and lawsuits. Traditional rule-based systems only detect known patterns, generating up to 95% false alerts. Our AI AML system excels at money laundering detection using machine learning AML models. We develop hybrid AI systems that reduce FPR by 20–40% without sacrificing detection recall. Our track record: 10+ years in financial ML for banks and fintechs. A typical implementation costs between $50,000 and $200,000, with ROI realized within 6 months through reduced manual review. Banks typically save $1,000,000 annually by reducing manual review workload.
The core is a combination of deterministic rules (for typical scenarios) and ML models (for uncovering latent non-linear patterns). Below we cover the architecture, models, and implementation stages.
In this article, we break down the key components: transaction monitoring, graph analysis, and KYC integration. We'll see how a hybrid approach reduces the compliance department's workload while meeting FATF requirements. Rules automatically handle 80% of transactions, leaving 20% for ML review, cutting manual effort by 60%. Our hybrid system reduces false positives by 2-5 times compared to rule-only systems. Our hybrid AML system is up to 3 times more effective than pure rule-based systems.
Why ML outperforms rule-based systems for AML
| Characteristic | Rules | ML Model |
|---|---|---|
| Detecting new schemes | No – only known patterns | Yes – uncovers hidden correlations |
| False positive rate (FPR) | 5–10% | 2–4% (2–5x reduction) |
| Adapting to changes | Manual update | Automatic retraining |
| Explainability | Full (if rule is explicit) | Via SHAP/LIME |
| Scalability | Linear with number of rules | Parallel processing |
Money laundering typologies
Structuring (Smurfing): Large sums split into smaller transactions below the reporting threshold (as defined locally).
Layering: Multi-level transfers through a chain of accounts and jurisdictions to hide the source.
Integration: Laundered funds are introduced into legitimate business—affiliated services, real estate.
Red flags:
- Transactions round amounts (e.g., just below the threshold) – below threshold but suspicious.
- Activity spike: no operations → suddenly 50 in a day.
- Geographic mismatches: client from Saratov, transfers to Singapore.
- Throwaway account: new account, large turnover, quick withdrawal, then closure.
Feature engineering
The key to ML quality are features capturing customer behavior. We use two classes:
Transactional features (volume, timing, amounts near thresholds, counterparty concentration):
def extract_transaction_features(transaction_history, lookback_days=90):
"""Features based on the customer's transaction history."""
df = transaction_history.copy()
features = {
# Transaction volume
'total_amount_30d': df[df['days_ago'] <= 30]['amount'].sum(),
'transaction_count_30d': len(df[df['days_ago'] <= 30]),
'avg_transaction_amount': df['amount'].mean(),
'amount_std': df['amount'].std(),
# Temporal patterns
'transactions_per_active_day': len(df) / df['date'].nunique(),
'max_transactions_single_day': df.groupby('date').size().max(),
'night_transaction_ratio': (df['hour'] < 6).mean(),
'weekend_activity_change': calculate_weekend_ratio(df),
# Amounts near thresholds
'near_threshold_pct': (df['amount'].between(550000, 610000)).mean(),
'round_amount_pct': (df['amount'] % 1000 == 0).mean(),
# Counterparties
'unique_counterparties': df['counterparty_id'].nunique(),
'counterparty_concentration': df.groupby('counterparty_id')['amount'].sum().max() / df['amount'].sum(),
'new_counterparty_ratio': (df['is_new_counterparty'] == True).mean(),
# Geographic
'foreign_transaction_ratio': (df['country'] != 'RU').mean(),
'high_risk_jurisdiction_pct': df['country'].isin(HIGH_RISK_COUNTRIES).mean()
}
return features
def compute_network_features(account_id, transaction_graph):
"""Transactions as graph: nodes = accounts, edges = transfers."""
G = transaction_graph
pagerank = nx.pagerank(G, weight='amount')
betweenness = nx.betweenness_centrality(G, weight='amount')
communities = nx.community.greedy_modularity_communities(G.to_undirected())
community_risk = assess_community_risk(account_id, communities, G)
return {
'pagerank_score': pagerank.get(account_id, 0),
'betweenness_score': betweenness.get(account_id, 0),
'community_risk': community_risk,
'in_degree': G.in_degree(account_id),
'out_degree': G.out_degree(account_id)
}
Network features (PageRank, betweenness, clustering) – help detect complex layering schemes where an account acts as a transit node.
Machine learning models
LightGBM tuned for AML
import lightgbm as lgb
from sklearn.metrics import roc_auc_score, average_precision_score
n_normal = (y_train == 0).sum()
n_sar = (y_train == 1).sum()
scale_pos_weight = n_normal / n_sar
model = lgb.LGBMClassifier(
n_estimators=500,
scale_pos_weight=scale_pos_weight,
learning_rate=0.05,
num_leaves=31,
min_child_samples=20,
feature_fraction=0.8
)
# Threshold chosen so that recall >= 0.85
from sklearn.metrics import precision_recall_curve
precision, recall, thresholds = precision_recall_curve(y_val, y_scores)
optimal_threshold = thresholds[np.argmax(recall >= 0.85)]
This LightGBM AML classifier is optimized for transaction monitoring.
Graph neural network (GNN) for network analysis
import torch
from torch_geometric.nn import SAGEConv
class AMLGraphNN(torch.nn.Module):
"""GNN for analyzing transaction networks."""
def __init__(self, node_features, edge_features, hidden_dim=64):
super().__init__()
self.conv1 = SAGEConv(node_features, hidden_dim)
self.conv2 = SAGEConv(hidden_dim, hidden_dim)
self.edge_mlp = torch.nn.Linear(edge_features, hidden_dim)
self.classifier = torch.nn.Linear(hidden_dim * 2, 1)
def forward(self, node_features, edge_index, edge_features):
x = torch.relu(self.conv1(node_features, edge_index))
x = torch.relu(self.conv2(x, edge_index))
edge_emb = self.edge_mlp(edge_features)
source_emb = x[edge_index[0]]
target_emb = x[edge_index[1]]
edge_repr = torch.cat([source_emb, target_emb], dim=1)
return torch.sigmoid(self.classifier(edge_repr))
Our graph neural network AML models analyze transaction networks.
How the hybrid AML architecture works
The hybrid system combines rules and ML into a single pipeline. Rules quickly filter out obvious legitimate operations and flag clear violations (limit breaches, forbidden jurisdictions). ML models analyze attributes that cannot be encoded in rules: anomalous behavior, hidden connections, non-linear dependencies. Result: each transfer gets a unified risk score that incorporates both rules and ML.
class HybridAMLSystem:
def __init__(self, rule_engine, ml_model, threshold=0.5):
self.rules = rule_engine
self.model = ml_model
self.threshold = threshold
def evaluate_transaction(self, transaction, customer_history):
rule_alerts = self.rules.evaluate(transaction)
features = extract_transaction_features(customer_history)
ml_score = self.model.predict_proba([features])[0][1]
final_risk = max(rule_alerts.max_risk_score if rule_alerts else 0, ml_score)
if final_risk > self.threshold:
return SARCandidate(
transaction=transaction,
risk_score=final_risk,
triggered_rules=rule_alerts,
ml_explanation=shap_explain(self.model, features)
)
What's included in the engagement
- Documentation: architecture diagram, model card, admin guide
- ML pipeline: feature extraction, training, validation, A/B testing
- Integration: with KYC system, core banking, CRM
- Real-time API: HTTP/gRPC endpoint for risk scoring each transaction
- Dashboards: metric monitoring, SAR reporting, SHAP explanations
- Deployment: on-premises or cloud
- Support: 1 month post-production, team training
Development process
- Analysis – gather requirements, audit current logs, review regulations (Federal Law 115, FATF)
- Design – select architecture, define features, configure pilot
- Development – write code, train models, set up pipeline
- Testing – cross-validation on historical data, scenario testing
- Deployment – deploy, integrate, load test
Timeline: from 6–8 weeks for a basic version (rules + LightGBM + SAR) to 4–5 months for a full system (with GNN, real-time, graph analysis). The system processes over 10,000 transactions per second in real-time.
Model comparison: LightGBM vs GNN
| Characteristic | LightGBM | GNN (SAGEConv) |
|---|---|---|
| Data type | Tabular features (transactions) | Graph data (account network) |
| Detects | Anomalies in customer behavior | Complex transfer chains (layering) |
| Trainability | Fast training, works with little data | Requires more data and GPU |
| Interpretability | SHAP, feature importance | Graph visualization, attention |
Regulatory compliance
Federal Law 115 (Russia): mandatory control of transactions above a certain threshold, submission of SAR to Rosfinmonitoring within 3 business days.
FATF/EU AMLD: KYC on onboarding, continuous monitoring, enhanced due diligence (EDD) for high-risk clients. Regulatory requirements are described in the FATF Recommendations (Wikipedia).
How we ensure explainability
Each suspicious decision comes with a SHAP explanation. Consider an example: a transfer of a large amount from Saratov to Singapore. SHAP values show that foreign_transaction_ratio increased risk by 0.34, near_threshold_pct by 0.28, new_counterparty_ratio by 0.21, transaction_count_30d by 0.15, and avg_transaction_amount by 0.10. The final risk of 0.87 exceeds the threshold of 0.5, generating a SAR report.
import shap
def explain_sar_decision(model, features, feature_names):
"""Regulators require justification for each SAR."""
explainer = shap.TreeExplainer(model)
shap_values = explainer.shap_values(features)
top_factors = sorted(
zip(feature_names, shap_values[0]),
key=lambda x: abs(x[1]), reverse=True
)[:5]
explanation = "\n".join([
f"- {name}: {'increased' if val > 0 else 'decreased'} risk by {abs(val):.2f}"
for name, val in top_factors
])
return explanation
This approach not only satisfies audits but also gives operators clear reasons for blocking.
Our AML development services cover end-to-end solutions including KYC AML integration and SAR reporting. We have expertise in graph neural network AML models, transaction monitoring, and hybrid AML systems. Our team holds certifications in AML and data science, and we guarantee a minimum 20% reduction in false positives.
Ready to evaluate your project? Request AML system development tailored to your data — get a consultation on architecture and timelines. Contact us to discuss your case.







