From rules to intelligence: The case for AI-based transaction monitoring

The problem has changed 

Financial crime has evolved faster than the controls designed to stop it. Criminal networks now use automation, digital assets, and AI to execute fraud and laundering at scale including sanctions evasion and complex, multi‑step schemes with little human involvement. 

Most institutions, however, continue to rely on rules‑based monitoring built on static thresholds and isolated transaction reviews. The result is a growing disconnect between modern financial crime risk and legacy control frameworks. 

Why existing systems are failing 

At many financial institutions, the majority of alerts (often more than 90%) are false positives. Investigating this volume consumes enormous operational capacity and diverts resources away from genuinely elevated risk. Despite sustained investment, regulatory penalties for AML failures continue to rise sharply, signaling deteriorating outcomes rather than improvement. 

The root cause is structural. Rules‑based monitoring frameworks can only detect what they’re explicitly designed to find. Thresholds are calibrated long before criminals adapt their behavior. Transactions are assessed in isolation and stripped of the behavioral, network, and contextual signals needed to distinguish suspicious activity from legitimate business. The result is a control framework that’s expensive to operate, increasingly easy to evade, and progressively harder to defend under regulatory scrutiny. 

The market response reflects this reality as institutions across the industry accelerate adoption of AI‑driven KYC and AML approaches. These next‑generation operating models materially reduce false positives, surface hidden relationships, and identify risk patterns that legacy rule‑based approaches can’t. Institutions are adopting them because the alternative is no longer defensible. 

Enforcement case study: The $80M Canaccord Genuity penalty 

In March 2026, FinCEN assessed an $80 million civil money penalty, the largest ever imposed on a broker‑dealer against Canaccord Genuity LLC for BSA violations. The consent order highlights failures common in legacy transaction monitoring programs such as: 

• Lack of proportionality: The Canaccord compliance program wasn’t scaled to the firm’s risk profile or transaction volumes. 
• Ineffective monitoring design: Surveillance relied on static reports and overwhelmed, inexperienced staff. 
• Missed suspicious activity: At least 160 SARs went unfiled, with thousands of suspicious transactions flowing undetected. 
• Weak customer due diligence: High‑risk customers were onboarded without adequate controls, including individuals later barred by the SEC and entities with sanctions exposure. 
• Failure to remediate: Prior examination findings remained unresolved for years. 

This enforcement action should be treated as a negative blueprint. These failures reflect the predictable limits of manual, rules‑based monitoring frameworks operating beyond their design capacity. 

How AI-based monitoring works 

Rules-based and behavioral monitoring systems are built on fundamentally different detection logics. Rules-based systems ask, “Does this transaction match a known suspicious pattern?” Behavioral systems ask, “Does this transaction deviate from what would be expected for this customer, in this context, at this time?” 

Behavioral systems evaluate activity against a dynamic baseline of normal behavior instead of static thresholds, allowing context to determine risk. The most significant advance occurs at the network level. Money laundering activity including mule networks, coordinated round‑tripping, and correspondent banking relationships is often invisible when accounts are assessed individually. Network‑based analysis identifies coordinated behavior across customers, accounts, and counterparties that rules‑based systems aren’t designed to detect. 

These capabilities increasingly extend into the investigation workflow. Production implementations integrate AI to support alert summarization, SAR drafting, and quality assurance. Institutions report approximately 60% reductions in Level 1 and Level 2 review time, more than 80% reductions in sanctions‑screening alert volumes, and material increases in SAR filings at go‑live. 

Addressing common objections 

“Regulators won’t accept black-box models.”  

This was legitimate in 2019. It’s not in 2026. FinCEN's June 2024 proposed rule explicitly cited machine learning as a tool that can improve customer risk assessment and reduce false positives. Explainability is now a product requirement.  Any solution that can’t articulate in plain terms why an alert fired isn’t regulatorily defensible. 

“We can’t write off our existing platform investment.”  

You don’t have to. Many deploy AI as a modular layer above existing systems, reducing alert volumes while building model history. Full replacement is appropriate when the existing system is under regulatory scrutiny, globally fragmented, or technically obsolete. Sunk cost isn’t a compliance strategy. 

"Implementation risk is too high."  

Successful outcomes depend on three variables: data readiness, governance clarity, and vendor experience with regulatory examination. Institutions that manage these effectively achieve go-live without examination findings. Parallel runs prior to full transition are essential.  

“Our data quality isn’t good enough.”  

This isn’t a reason to delay modernization. It’s a reason to assess data readiness early. Field-level data mapping, identity resolution, and ETL testing with representative production samples are prerequisites. 

The case for acting now 

Documented implementations show that AI‑enabled transaction monitoring leads to material improvements in alert quality and operational efficiency. Institutions report substantial reductions in false positives and overall alert volumes, allowing investigative capacity to shift toward higher‑risk activity. 

At initial deployment, many programs experience a temporary increase in SAR filings as previously undetected or under‑prioritized risk surfaces through improved detection and network analysis. But over time, alert volumes stabilize at lower levels with higher investigative yield. AI‑assisted workflows reduce investigation cycle times through improved triage, richer context, and more efficient case management. 

Taken together, these outcomes represent a step‑change in performance, not incremental gains achievable through continued tuning of rules‑based systems. 

From assessment to execution: A practical roadmap 

1. Assess your current program honestly. Before selecting a solution, evaluate three fundamentals:  

• Regulatory posture: Are there open MRAs or MRIAs related to transaction monitoring?  
• Technical maturity: When was the system last tuned, and what’s the true false‑positive rate? 
• Operational capacity: What’s the alert‑to‑analyst ratio and average time from alert to SAR decision? 

2. Choose your architectural approach. Two approaches dominate. Full replacement delivers the greatest benefit and is appropriate when systems are under regulatory scrutiny, globally fragmented, or technically obsolete. Modular augmentation layers AI‑based behavioral scoring above existing platforms, reducing alert volumes while building model history incrementally. 

3. Get the implementation fundamentals right. Establish governance before configuration begins. Document RACI explicitly across vendor, advisors, and internal teams. Treat data mapping, identity resolution, and ETL testing as prerequisites. Limit customization to avoid recreating rules‑based logic at behavioral‑system cost.  

4. Select your vendor rigorously. Vendors know their technology, not your regulatory posture. Independent advisory expertise that bridges both is essential. Ask prospective vendors such key questions as: 

• Do you have live ML models operating at comparable institutions? 
• Have you supported implementations through regulatory examination? 
• Can you deliver documentation that’s compliant with SR 11-7 as well as commit contractually to model updates?  

5. Satisfy regulators on SR 11-7 and explainability.  To be compliant with SR 26-2, programs must document model design, data lineage, outputs, thresholds, back‑testing, drift monitoring, and independent validation. Regulators care less about theory and more about outcomes. Explainability is a day-one requirement, not an end-stage deliverable. Independent validation should occur twice in the first year, then annually. 

6. Apply the Canaccord lessons directly. 

The decision 

Rules-based transaction monitoring was effective for a different era. Today, criminals deploy AI to execute money laundering campaigns at industrial scale. 

The risk of waiting to make the shift grows as detection gaps widen and regulatory postures become harder to defend. And today’s regulators have demonstrated that they’ll impose nine-figure penalties on programs that aren’t proportional to their risk. 

The technology is mature, the regulatory framework is established, and the performance evidence is documented and consistent. The question isn’t whether to make this transition. It’s whether your institution is running out of time to make it on your own terms.