.webp)
How does graph analytics help with AML detection?
Quick answer
Graph analytics maps accounts, entities, and transactions as a network instead of examining records in isolation. It detects layering rings, mule chains, and shell company webs that standard transaction monitoring cannot see. FATF's 2021 technology guidance explicitly names network analysis as a high-value AML detection tool.
The full answer
Graph analytics treats the financial system as a network. Every account, individual, legal entity, device, and IP address is a node. Every transaction and every shared attribute (registered address, phone number, device fingerprint) is an edge. Standard AML transaction monitoring evaluates each account against rules in isolation. Graph analytics evaluates the relationships between them.
The difference matters most when criminals design schemes specifically to evade per-account rules. A ring of forty accounts that each deposit $9,800 once and route the combined $392,000 to a single beneficiary will clear most threshold-based systems. Each account looks clean individually. The ring is invisible unless you look at it as a network. Graph analytics looks at it as a network.
Core techniques
Community detection groups accounts that behave as a coordinated unit. A cluster of forty accounts with synchronized deposit timing and convergent outflows is a probable mule ring, whether or not any individual account triggers a rule. For the account-level signals that precede network detection, see how mule accounts get detected.
Path analysis reconstructs the layering phase of a laundering scheme by tracing multi-hop fund flows. Criminals move money through three to seven intermediary accounts before it reaches the integration point. Path analysis maps the whole chain, not just the first or last hop.
Centrality measures identify hub accounts. An account with high betweenness centrality sits on many shortest paths between other accounts in the network. That structure frequently indicates a collection point or mixer.
Link analysis surfaces hidden shared attributes. Two accounts with different registered names that share a phone number, a device ID, or an address are likely controlled by the same person. This extends customer due diligence and enhanced due diligence by surfacing relationships that static KYC records do not capture.
Typologies it catches
Most high-value laundering schemes have a network dimension:
- Structuring rings: Multiple accounts deposit just below the Currency Transaction Report threshold and converge on one target account. Individual accounts look unremarkable. The convergence pattern does not.
- Mule networks: Recruited accounts receive fraud proceeds and forward them rapidly onward. Traditional monitoring sees one mule account in isolation. Graph analytics sees the controller at the centre of thirty mule accounts simultaneously.
- Shell company chains: A beneficial owner runs funds through three to seven holding companies across jurisdictions. Graph analytics traces the full entity path.
- Trade-based money laundering: Importers and exporters that share hidden beneficial owners manipulate invoices across borders. Invoice discrepancies look minor per counterparty; the entity graph reveals the connection. See what trade-based money laundering is.
Why this matters
The false positive rate in AML is severe. At most institutions, 90% or more of AML alerts are false positives. Graph analytics doesn't eliminate false positives, but it changes their character. A rule-based alert says "this account sent $9,800 twice." A graph alert says "this account is part of a forty-node community that collectively processed $392,000 in coordinated deposits over 72 hours." The second alert is harder to dismiss and carries far more investigative weight.
Investigation efficiency improves significantly. An analyst following a complex layering case traditionally pulls thirty separate account records and reconstructs the network manually. That can consume most of a working day. Graph visualization surfaces the same network on a single screen in seconds. Compliance teams that have deployed network visualization consistently report a substantial reduction in hours per complex investigation.
Regulatory expectations are moving in this direction. FATF's 2021 guidance on new technologies for AML/CFT names network analysis as a tool supervisors expect institutions to evaluate. FinCEN's advance notice of proposed rulemaking (85 FR 58023, September 2020) raised network analytics explicitly as part of the AML program effectiveness discussion. Institutions that cannot demonstrate they have assessed network-level risk will face harder questions in a regulatory exam. See what triggers a regulatory exam for the factors that drive increased supervisory scrutiny.
The 2020 FinCEN Files investigation by the International Consortium of Investigative Journalists documented $2 trillion in transactions that major US banks flagged internally but still processed. Many involved multi-hop correspondent banking chains. Graph analytics is built specifically to map those chains.
Graph analytics also feeds AI-based AML transaction monitoring as a feature layer. Machine learning models trained on graph features (community membership, centrality, network velocity of funds) consistently outperform models trained on account-level features alone. The graph provides context the transaction record alone cannot.
One real constraint: graph traversal is compute-intensive. Real-time graph scoring at the payment level adds 50 to 200 milliseconds of latency. For high-value wires and cryptocurrency, that's acceptable. For high-volume retail payments, overnight batch graph runs are standard. Detection delay is a real trade-off. For schemes that develop over weeks, it's manageable. For real-time fraud, it's a limitation worth acknowledging.
FinCEN's definition of suspicious activity requires institutions to file a SAR when they know, suspect, or have reason to suspect a transaction involves funds from illegal activity. A graph model that surfaces a forty-node mule ring gives investigators far stronger grounds for that determination than a per-account threshold breach. The evidentiary quality of the alert improves, which matters when the SAR reaches the analyst who decides whether and how long banks have to file.
Related questions
- Can AI be used for AML transaction monitoring?
- How do mule accounts get detected?
- What percentage of AML alerts are false positives?
- What is trade-based money laundering?
- How does FinCEN define suspicious activity?