Share the article
Subscribe for updates
Sardine needs the contact information you provide to us to contact you about our products and services.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Introduction to AML

This post introduces AML, the key challenges compliance officers face today, and how Sardine overcomes these challenges.

If you're moving money or value, you must understand AML.

1. Introduction to AML

In order to adhere to various regulations including the Bank Secrecy Act, Financial Institutions (FI) must establish and maintain effective AML programs, including the ability to perform Transaction Monitoring.

When folks say, Transaction Monitoring, they mean one of two things – Monitor transactions from a fraud point of view or from a compliance point of view. This blog provides a deep dive to AML Transaction Monitoring at Sardine.

Fraud transaction monitoring for financial institutions implies the following:

  • Acquiring fraud – are the funds coming in from stolen payment instruments
  • Issuing fraud – did the card issued by the FI get stolen

AML/CFT transaction monitoring is to monitor for the following:

  • A) Money laundering – structuring, layering, and placement of black money.
  • Placement – Introducing a small amount of dirty funds into the financial system (e.g. depositing small amounts of drug money into ATMs). This is where strong KYC controls are important as criminals typically use fake accounts or compromised identities to open up accounts.
  • Layering – Moving funds around to hide the origin. Money launderers “layer” their money by creating multiple accounts at different financial institutions and layer them i.e. constantly move them across a chain of FIs to obfuscate the trail of funds from their illegal origins and hide their tracks. Typically one FI will only look at money coming in/out with its immediately adjacent FIs, but no one sees the entire chain. That visibility gap is what a money launderer is trying to exploit. Moneymoney launderers break down large payments into smaller chunks, typically <$10K to stay underneath the regular reporting thresholds of banks. IRS mandates $10K as the threshold.
Figure 1: Evading IRS Currency Transfer (CTR) rules by structuring individual transactions under the $10K threshold
  • Integration – Making the funds “legal money” through various means such as centralizing the funds into a company to look like the funding is revenue, or, buying a property, art or NFT and then selling it to appear to be the proceeds of a sale.
  • B) Drug trafficking – is someone using the proceeds of drug trafficking. This is where checking for Source of Funds is again supremely important.
  • C) Terrorist financing – is someone using the FI to gather donations from multiple folks to fund an illicit activity. This is where screening for sanctions, PEPs and adverse media for all the counterparties of an account at a FI is supremely important. This absolutely must be filled as a suspicious activity report (SAR).

2. Challenges with AML Today

Traditional Transaction monitoring has three problems -

  1. Focusing only on the transaction: The traditional way of doing TM is to monitor transactions independently without considering Customer’s Identity Profile (CIP). We argue that’s the primary reason FIs are drowning in TM alerts or a holistic Customer Risk Rating (CRR) program, we need to combine transaction monitoring with CIP. The reason is that transactions alone – in terms of amounts & velocities do not carry enough information entropy to tell apart good user activity from money laundering. Finally, by understanding the device and behavior of a user over time we can consider the wider context of the transaction, customer and their digital footprint to build a complete picture.
  2. Retroactive, not real-time: Many TM systems and approaches are applied after the transaction and are not captured in real-time. With the rise of real-time payments, sophisticated actors are able to evade AML controls. The controls and monitoring must be default real-time and benefit from the decades of experience in sophisticated follow up and investigation thereafter.
  3. Fraud systems don’t talk early or often to AML systems: Money laundering, sanctions, and terrorist financing (TF) activity often first appear as a simple fraud hit. Traditionally these are separate, siloed parts of the organization with different processes and communication priorities. If fraud systems do not escalate an alert to the AML systems, it leads to a huge backlog of AML alerts to be reviewed by compliance teams.

Also, compliance is dictated by the rule of 30/30/30.

SAR rules require a SAR to be filed no later than 30 calendar days from the date of the "initial detection of facts that may constitute a basis for filing a SAR." Anyone with SAR requirements may file SARs for continuing activity after a 90-day review, with the filing deadline being 120 days after the previously related SAR filing date.

So, for filings where a subject has been identified, the timeline is as follows:

  • Identification of suspicious activity and subject: Day 0.
  • Deadline for initial SAR filing: Day 30.
  • End of 90-day review: Day 120.
  • Deadline for continuing activity SAR with subject information: Day 150 (120 days from the initial filing date on Day 30).

If the activity continues, this timeframe will result in three SARs filed over a 12-month period.

Hence, alerts need to be shared with the compliance team in a timely manner for them to act on them and potentially file a SAR on-time. Depending on the seriousness of the violation, FinCEN can impose financial penalties (up to $5K per day) or even criminal liability for non-filing (source).

2A) The data problem - Transaction Data isn’t enough

We described above a few scenarios where transaction data alone doesn’t work; hence, a holistic approach makes the most sense.

  • Appropriate thresholds for customers with different customer risk ratings: For customers with high net worth, we need to tune transaction monitoring thresholds for them – e.g., no point in looking at individual ACH/wires that are <$1K, for example.
  • Appropriate thresholds for individuals with red flags: On the other hand, for customers who are affiliated with a politician i.e. Politically Exposed Person (PEP), you may decide to onboard them but create stricter transaction monitoring rules to make sure they are not engaging in any covert money laundering. In the EU/UK, for example, there are many family members of Russian oligarch expats and as per the FCA, there’s a requirement for stricter transaction monitoring on those.

2B) The timing problem - The need for real-time

The BSA/AML regulations were drafted when checks and teller windows used to be the primary means of moving money. Today, in the US we have 24/7/365 money movement in real-time via multiple payment rails – Visa Direct, Mastercard Sends, Zelle, The Clearing House (TCH’s) Real Time Payments (RTP), FedNow. Countries outside the US are even further ahead – the UK has had Faster Payments for 10+ years, India has had UPI for 5+ and Brazil has had PIX for 3+ years. Consequently, compliance systems need to evolve and keep pace with the advent of faster money movement. Otherwise, AML systems will fall behind and the FIs will drown in post-hoc alerts they need to review.

Instead, what if an AML transaction monitoring system could proactively stop a transaction involved in potential money laundering before it happens?

Sardine Twitter

Retweet this or Follow Sardine on Twitter @sardine

The advantages of real-time AML transaction monitoring are immense –

  • Real-time AML leads to Increased efficiency: Most banks employ 30+% of their workforce in compliance, and if we make them more efficient, the opex cost of running a bank goes down significantly.
  • Real-time AML leads to improved downstream processes: An AML alert that involves a series of historical transactions needs to be reviewed by an AML analyst for say, 1 hour and then escalated to a compliance manager who reviews the same for say, another 1 hour. Then, you may decide to put the user in an alert queue and collect more evidence from the user via email.

Instead, if you pause the suspected transfer from happening in the first place and ask the consumer a series of specific questions from within the fintech or banking app itself, you can save these several hours of manual work. The questions can be exactly what you are used to asking in the compliance review process e.g. about the counterparty (e.g. how are you related) or about the source of funds (is it from your income or a sale of an asset or property).

Sardine enables you to create an AML rule in real-time along with custom action-tags, which could indicate the very specific question you want to ask the consumer. For example –

Example AML rule for a Fintech app:

Incoming Transaction > $50,000 AND
AVG (Previous 30-day transaction value) < $1,000 AND
Transaction Currency != Customer’s sign-up Currency

Example response returned by Sardine:

AML risk level = very_high
Action tag = “Ask for Source of Funds”

We could write this in Sardine that gets triggered as soon as the money is received but instead of updating the ledger in the name of the customer, the fintech would mark the funds as pending until the consumer provides a satisfactory Source of Funds along with supporting documentation.

2C) The communication problem - Fraud & AML collaboration

So often what starts as low-level fraud is part of a wider money laundering effort by sophisticated actors. Fraud rules that have low thresholds on transactions alone may not flag cases in a timely manner to compliance teams.

What if there was a single platform that helped with this communication challenge? What if all of the data could be pulled into a case across fraud and compliance?

And better yet, what if sophisticated AI proactively alerted and managed that?

3. Solving the challenges

3A) Solving data - With visual monitoring

Transaction monitoring meets Network Graph

When considering structuring & layering detection, it is also important to look at the activity of the accounts that are clustered together, not just one individual. A savvy money launderer would often create multiple accounts in the names of various relatives and move less than $10k from each of them daily. Sardine also provides a network graph visualization tool that allows an analyst to identify users connected via shared devices or shared addresses. Then they can review alerts for this cluster in totality instead of individually.

Figure 2: Sardine’s Network Graph allows multiple accounts with similar attributes – shared device identifier, IP address, and billing address attributes – to be connected.

3B) Solving data - With customer risk scores

Customer Risk Score

Often AML investigators want to let a low-risk-level AML alert just sit in a queue for a period of time (say 1 year). And then, when there’s a high-risk activity, allow all of these things to be combined. To solve this, Sardine provides a customer risk score, a combination of session-level risk scores.

Our customers can then track the customer risk score across the entire customer journey and be able to reference this score later in their internal business logic and Sardine rule engine executions. Some examples where we can track and assign a score increment or decrement to are


  • Successful onboarding
  • Passed KYC
  • Successful deposit


  • Bounced check, chargeback, ACH return, fraud decline
  • Customer deposits more than $5K on their first deposit
  • Customer has more than 3 direct deposits in a 30-day window
Figure 3: Sardine’s Customer Risk Score framework allows a bank to combine scores across various sessions into a customer level score and dashboard.

3C) Solving data - With pre-created rules

Pre-created Set of AML rules

When asked to create an AML program, financial institutions often end up hiring AML consulting firms who can often only provide them with most common typologies in a document format. After that, the financial institution must hire and staff a team of data engineers and scientists to build a data warehouse and then code up the various AML typologies. At Sardine, we work with various AML consulting firms that help financial institutions create the AML policy, and then they bring in Sardine to create the AML typologies.

Sardine comes preconfigured with 100s of the most common typologies pre-created and available the moment you sign & integrate with us.

Figure 4: Typical workflow before creating a SAR narrative that involves multiple KYC, Sanctions and TM alerts

For instance, our rule engine allows you to create typologies around:

  • Velocities and amounts of the transaction, e.g., whether someone’s transaction amount or the number of transactions is more than 2 standard deviations away from the mean.
  • Whether the logins are happening from countries that are in the FATF gray list of countries
Figure 5: Sample of 100+ AML typologies provided out-of-box by Sardine

3D) Solving data - With Fiat and Crypto in one place

Fiat + Crypto transaction monitoring in one place

Sardine partners with multiple blockchain analytics providers, which allows us to pull data about the counterparties associated with a crypto transaction. We pull tags associated with an address that someone is sending crypto to (to screen the destination address) or receiving from (to perform proper Source of Funds checks).

We work with multiple crypto exchanges, which can then utilize both our fiat and crypto AML rules in one dashboard.

3E) Solving real-time - Rules that fire in real-time

Low-code rule editor

Once your engineering team has integrated Sardine, your compliance team can create new rules in a low-code fashion without any involvement from your engineering team. With premium support, Sardine offers a dedicated team of strategic account managers & risk analysts who work with your compliance team to create new rules and monitor activity as needed.

Sardine offers the ability to run rules in shadow mode (“front test”), so you can monitor statistics like how many times it was triggered, what is the hit rate, and false positive rates.

Sardine also offers the ability to backtest rules over the past several months of your dataset, so you get hit rates and false positive rates on historical data before you push a rule live.

Figure 6: Performance of AML rules in terms of fire rate, precision & recall

3F) Solving real-time - With ML that alerts instantly

Machine learning for AML

Sardine uses a variety of machine learning algorithms in our anomaly detection engine, which fires alerts off to a joint slack channel shared with our customers, and the alerts are also available in our dashboard. These alerts then act as a litmus for our risk analysts to go in and understand if there’s a specific fraud ring or money laundering ring whereby all these individuals share specific attributes – if so. They quickly create new rules to capture that specific ring (typology).

Figure 7: Anomaly alerts that showcase where an attribute is behaving abnormally, allowing an analyst to go in and create new AML typologies.

3G) Solving communication - With counterparty collaboration

Parent/Child accounts

Compliance products lack automation, and there’s a lot of visibility gap when information gets siloed across sponsor bank, BaaS platform, and the fintech.

For example, when a sponsor bank or BaaS provider needs to conduct a Request for Information (RFI) or Enhanced Due Diligence (EDD) about a particular program’s customer, they often do it via secure email. This leads to personal data leakage into emails and creates hacking of these entities, an attractive target for bad actors.

Moreover, programs must often deliver compliance data to the sponsor bank in spreadsheets and archived without a clear look-through of all the programs in the portfolio.

To make matters worse, regulators often lack supervisory technology (“SupTech”) and require the banks to send spreadsheets themselves.

Without automation, it’s increasingly difficult for a sponsor bank to understand the real-time risk presented to itself and its customers. Compliance becomes a one-to-many problem where a bank is increasingly blind to the risks posed by the worst-performing programs they have partnered with directly or indirectly due to the lack of clear oversight.

With Sardine, sponsors, programs, and other BaaS providers can share a single source of truth in one dashboard. Sponsor banks or their BaaS providers can issue an RFI or specific EDD queues within the dashboard to ensure their programs collect enough information on those customers and provide that information securely and in a privacy-preserving way.

Additionally, the dashboard allows fraud operations and compliance teams to push KYC policies and AML transaction monitoring rules across all their programs in one place.

3H) Solving communication - With case management and analytics

Case management queues and analyst performance

Sardine allows for cases that are triggered by a rule to be queued into a case management system, whereby they can be assigned to an analyst, who can approve/decline a case; leave detailed notes, including attach supporting documentation to the case; and once reviewed, they can reassign it to their manager.

Sardine also allows for heads of compliance to generate an audit report that provides a caseload for each analyst along with their performance, e.g., is everyone closing alerts at the same rate?

Sardine also provides a management dashboard that allows them to easily make decisions such as – do we need to hire more folks on the AML team?

Figure 8: Sardine allows Compliance team leads to monitor their teams' workload and audit their analysts' performance.

4. The modern AML/CFT stack

We can hail an Uber in seconds, send money to the other side of the globe in minutes, and ask ChatGPT to code a website in minutes, yet most AML compliance systems are still batch-driven and work at latencies of hours or days. Sardine is the only AML transaction monitoring system that allows compliance teams to create AML rules that can be deployed in seconds and can proactively stop potential AML/CFT transactions in seconds.

One client reduced manual work and overhead by 10x, and false positives by 80% within 3 months of integration.

What will you achieve with Sardine?

Contact us to find out more.

Share the article
About the author
Soups Ranjan
Co-Founder, CEO