Skip to main content
Back to Banking & Securities matters

From strength to strength: The AML industry in 2019

Highlights from the speeches at the podium and the backroom conversations at ACAMS, a leading anti–money laundering industry conference.

A member of our Risk and Financial Services practices, and a leader of our work on financial crime. She has supported numerous banks and insurance companies on enterprise risk management, compliance, anti-money laundering, stress testing, credit loss forecasting, operational risk, and other risk topics.

McKinsey; ACAMS advisory board member

Advises senior executives on risk, compliance, analytics, strategy, and business transformation, with deep expertise in financial-crime compliance and anti–money laundering

McKinsey; former OCC regulator

An expert with over fifteen years of financial crime risk and controls experience predominately within large, global banking institutions, across multiple roles and leadership positions.

Dan Williams

Brings hands-on risk-management expertise in the financial-services sector, helping companies transform programs and functions to reduce risk while increasing value

The ACAMS 18th Annual AML & Financial Crime Conference concluded on September 25, 2019. Hundreds of bankers, regulators, vendors, and many others came together to share new ideas and strategies to combat money laundering and other financial crimes. We pooled our notes and agreed that seven themes are dominating anti–money laundering (AML) discussions in 2019.

Machine learning and artificial intelligence: A bump in the road?

Dozens of vendors were on hand to offer an ever-widening array of machine-learning (ML) and artificial-intelligence (AI) solutions. Further, many banks—even regional and medium-size institutions—have built analytics teams. Yet many of the bankers we spoke with expressed a note of caution, and some were frankly skeptical; one said that his bank was “done” with ML and AI. Most of the frustration stems from the idea that ML and AI are broad-based tools that can “fix everything.” And some users are unhappy that the basic data issues that have long plagued the industry—missing or inaccurate industry codes, business types, transaction codes, nonresident alien status—and newer problems like politically exposed persons (PEPs) can stymie their ML efforts. “Garbage in garbage out” still applies, even in the world of ML and AI.

Were expectations set too high, or are the tools not as powerful as once thought? Probably a bit of both—and banks have struggled to understand where and when to use these solutions. In our experience, real value is created when you use the right combination of simple analytical tools, more advanced tools like ML and AI, and human judgement. That said, some promising developments are on the horizon. For one thing, regulators are now opening the door for banks to use the tools, as part of a broader push toward the risk-based approach (see below). For another, several highly specific and high-impact applications are emerging. Banks that focus their efforts on ideas like these seem to be getting lots of traction with ML and AI:

  • client behavioral scores to improve traditional transaction-monitoring detection models
  • ML-improved sanctions screening and filtering algorithms that reduce noise and dig deeper to reduce false negatives
  • smarter search algorithms, improved entity resolution, and better data visualization and management, to improve investigation productivity and outcomes
  • stronger natural-language processing to assist with screening and investigations in foreign jurisdictions
  • dark-web investigative tools that can “jujitsu” the technology of bad actors

The regulatory pendulum continues to swing

After a period when major regulators concentrated on compliance, all the main regulators are now very much focused on effectiveness—the risk-based approach that we have long advocated. The Office of the Comptroller of the Currency reported that the majority of banks in the United States now have satisfactory AML programs and can concentrate on greater effectiveness. (Left unstated but may be assumed: banks should still not backslide on compliance.) Another regulator said explicitly that “all banks don’t need to do all things”; examiners’ handbooks are just that, and not a set of expectations for every bank to meet.

Other regulators agreed that a risk-based approach, in which banks tailor their effort and resource commensurate with the level of AML risk, is acceptable and indeed desirable; one speaker repeated this idea five times in his presentation. To be sure, banks should be thoughtful about what they do and do not do, and should manage this proactively with the regulators, including regular communication with frontline examiners. A huge opportunity waits for banks to analyze their activities, better define AML risk appetite, set limits, push these throughout the enterprise, always while managing tightly for better performance and making clear to their professionals that they can raise issues.

Renewed interest in system-wide improvements

Another ramification of the swinging regulatory pendulum is a greater interest in system-wide improvements. Authorities increasingly see that individual banks have a necessarily limited view, and that there may be real benefits from system-level improvements, such as greater sharing of information and analytics and better feedback mechanisms. US banks are starting to use Section 314b of the Patriot Act to automate sharing of information and collaboration on investigations. The US Treasury’s Financial Crimes Enforcement Network is undertaking its BSA Value Project, to understand and track the value of Bank Secrecy Act reporting. The Joint Money Laundering Intelligence Taskforce in the United Kingdom serves as one good example of improved information sharing and collaboration.

AML threats ratchet higher

Old threats continue to grow while new ones evolve, presenting myriad challenges for all concerned. Heightened vigilance is needed to combat the financing of terrorism; insiders we spoke with say that the threat from home-grown violent extremists remains high, particularly in Europe and the United Kingdom. Banks need to think even harder about measures to get out in front of the threat and how to respond quickly to incidents, working with law enforcement on both fronts. And that’s not all. New technologies present a number of tough challenges for AML, such as managing risks that arise from partnering with fintechs, understanding cryptocurrency exposure, combating bad actors in the dark web, and fighting cybercrime. The cannabis industry also poses a real challenge. The conflict between federal and state laws in the United States (and between US and Canadian law) regarding the legality and use of marijuana has created a major dilemma for financial institutions. Where it is legal, institutions struggle to monitor and manage—and where it is not, the question of whether to provide banking services to, say, equipment suppliers to the industry continues to be a topic for debate.

Sanctions are growing like kudzu

Sanctions are a particular hot spot, offering a fast-moving and complex set of challenges to banks. Several countries are adding many more sanctions to an already long list; and many of these affect countries whose regulatory regimes are uncooperative with those of other nations. Institutions need to be able to screen an increasingly complex array of countries, people, transactions, vessels, licenses, and related parties—lists that change weekly, and sometimes daily. Further, the diverging positions of US and EU sanctions add a new layer of complexity. The growing reach of sanctions and the tactics of sanctioned entities are making some lines of business so complex that banks find the game is not worth the candle, and they are withdrawing.

AML for value

Leading banks are exploring ways in which their AML programs can generate additional value, the focus of the fireside chat we hosted. The powerful skills of risk identification that banks have built for AML can also point out where risk is absent. A deep understanding of customers and their transaction patterns can be combined with external data to provide strong leads on the customer’s “next product to buy,” for example. AML transaction analysis often identifies customers that are legitimately expanding their business in high-risk jurisdictions; these too are good prospects for cross-selling. Given enough such customers in a region, banks can consider expanding into the market while staying within their risk tolerance, as they can identify and serve these customers while others cannot. The knowledge afforded by robust AML and know-your-customer processes can also allow banks to onboard new clients more quickly, giving them a competitive advantage. Viewed this way, AML is really about shining a light on a client’s business to understand better what it does, and offering it the right set of products and services to help.

More training needed

Training is one of the original four pillars of AML, along with compliance, controls, and internal audit. Even though a majority of US banks now have satisfactory AML programs, we heard several calls for high-quality and role-specific training. Further, the need is apparent across the spectrum, from institutions in remediation to those with a forward-looking agenda. Yet everyone recognizes that training is not always accessible and absorbable by learners. Compliance training in particular can be too abstract. Banks need to understand their audience and ensure that training is relevant to trainees’ everyday roles. Just like students in other professions, they need to engage with real-life examples that call on and challenge the knowledge gained from classrooms. And people will increasingly need multidisciplinary training, on BSA-AML, regulatory requirements, technology, and analytics, which will make life difficult for curriculum developers.


That’s the state of play in AML in 2019. The only thing we know for sure in this fast-paced business is that the themes are likely to continue to evolve in 2020.