According to a 2023 Datos Insights survey of anti-money laundering (AML) professionals, false positive alerts—those system-generated events that are supposed to indicate suspicious activity but instead flag normal behavior—are a big pain point. Eliminating false positives, most believe, can liberate resources for more productive investigations.
This negative view of false positives fails to appreciate their benefits. For one thing, false positives are a necessary by-product of automated transaction monitoring. Without computerized systems, banks would have to manually review millions of transactions for suspicious activity, which is impractical and inconsistent with regulatory expectations. False positives are also an excellent training tool. Being able to distinguish suspicious activity from normal is a skill that takes practice, especially when the suspicious activity is intended to look normal. False positives provide this practice.
Of course, every AML program must find ways to limit the operational burden of false positives. At the same time, finding value in them can help turn pain into an opportunity to optimize automated tools and develop a bench of skilled investigators.
Imperfect Monitoring
Regulators expect your models to be imperfect. The regulatory guidance on model risk management states explicitly that every model is flawed. In its model risk management guidance, the Federal Reserve writes, “All models have some degree of uncertainty and inaccuracy because they are by definition imperfect representations of reality.”1
What types of errors do regulators expect your models to make? Automated detection tools will always create at least two types of errors. The first is called a Type I error or, more familiarly, a false positive. According to the Office of the Comptroller’s Model Risk Management Handbook, false positives are “transactions that are incorrectly reported by the model as potentially suspicious but found to not represent suspicious activities requiring a suspicious activity report.”2
The AML models that many FIs use routinely generate 90% to 95% false positive rates. Why is this? High false positives reduce the likelihood of a model making the other type of error: Type II errors, also known as “false negatives.” False negatives, according to OCC guidance, “are transactions that represent potentially suspicious activities but are incorrectly not reported by the model.” 3 In other words, it is a transaction that the system should have alerted on but didn’t.
There is an inverse relationship between Type I and Type II errors. The more false positives a model generates, the less likely it will be to generate false negatives, and vice versa. So, FIs that tolerate high false positives will do so because they have a low tolerance for false negatives.
Tolerances for Type I and II errors will not be uniform across institutions or even within financial crime groups. Fraud departments, for example, tend to have a higher tolerance for false negatives as they plan for fraud losses in their budgets. Tolerating false negatives allows them to build models that monitor less activity and, therefore, generate fewer false positives. Sanctions teams, on the other hand, tend to have an extremely low tolerance for false negatives, as allowing even one specified designated national to do business with the bank is a problem. As such, Sanctions models can have relatively high false positive rates (such as 99.5%).
Despite their imperfections, models are still the best tools we have to monitor millions of transactions in seconds. The more we understand how a model is imperfect, the more we can leverage their strengths. Instead of insisting that your models be perfect by begrudging the false positives and false negatives they generate, establish a tolerance for these two types of errors. When you have an established tolerance, you can build a program that operates within those tolerances, thus turning the burden into a plan.
Operational Benefits of False Positives
Aside from their ability to ensure that we minimize our false negatives, there are some other advantages to reviewing false positives as part of any AML program.
Inform Customer Risk
Transaction monitoring programs often alert users to activity outside the realm of what is normal for customers. Typically, this change in activity isn’t indicative of anything nefarious. However, it can inform the risk a customer poses by potentially revealing a life change. For example, a large wire could indicate a purchase of property in a different jurisdiction, which may increase or decrease a customer’s risk profile. Large movement of money from a retirement account could indicate a customer who has recently retired, or it could reveal a customer who no longer has an income and needs to rely on retirement funds. This customer may be more susceptible to scammers due to this life change and may warrant additional monitoring.
Support Perpetual Know Your Customer (KYC)
Many FIs struggle with perpetual KYC programs, especially since most customers do not notify their FIs of significant life changes. False positives can point to some of those changes and support an FI’s perpetual KYC efforts. Knowing that a customer has moved, lost a job, or retired can keep the customer profile current throughout the lifecycle of the relationship. It helps FIs remain nimble to assist customers with their financial needs at a specific point in time. It can also enhance the customer experience by anticipating those needs and supporting customers through various life changes by assuring them that the products and services they have will meet their current needs.
Train New Analysts/Investigators
Identifying criminal activity is rarely easy. Criminals work diligently to make their illegal money movement blend in with normal behavior. Developing this skill requires training over time. It is necessary to hone an analyst’s or investigator’s skills by reviewing many different types of customers, money movement, and incoming funds’ senders and outgoing funds’ recipients. This is the best way to build an understanding of what constitutes suspicious behavior that likely warrants further investigation and possibly requires filing a suspicious activity report (SAR). This is achieved by learning what constitutes normal activity and what rises to the level of “suspicious” and could likely not be possible without reviewing false positives.
Conclusion
False positives can create challenges within any AML program, but they are necessary. If they were eliminated, then every alert would result in a SAR filing and many truly suspicious alerts would be missed by an immeasurable amount of false negatives. Such conditions would likely delight the criminal community, but it would do little to detect and deter money laundering and protect the financial system from criminal activity.
To learn how to strengthen your control framework and navigate AML technology options, contact Becki LaPorte at [email protected].
