How does graph analytics help with AML detection?

The full answer

Graph analytics maps connections between entities in a bank's data: customers, accounts, transactions, devices, addresses, and beneficial ownership structures. Instead of evaluating each transaction or account in isolation, it treats the entire relationship network as the unit of analysis.

The practical result is that a structuring scheme spread across 20 accounts, each individually below any rule threshold, becomes visible as a cluster of high-frequency small transfers with a common consolidation point. A mule network shows up as a directed graph with characteristic topology. Shell company chains that obscure beneficial ownership can be traversed automatically rather than manually researched by an analyst.

The core algorithms are well-established in the computer science literature. Community detection (Louvain and label propagation are the most commonly deployed methods) groups entities into likely-related clusters. Centrality measures identify accounts that are unusually well-connected or sit at critical junctions in fund flows. Path analysis traces the route from source to destination across multiple hops, which is how investigators map layering schemes.

Banks implement graph analytics three ways. Some run graph queries on top of existing relational data using specialized analytics software. Some use dedicated graph databases (Neo4j and TigerGraph are the most deployed in financial services). Some buy graph risk scoring as a module from AML platform vendors. The technology choice matters less than whether the output actually integrates with case management and alert triage.

FATF Recommendation 1 requires risk-based AML programs to account for how criminals layer and integrate funds across multiple entities and jurisdictions. Graph analytics is the operational implementation of that requirement at the account level.

FinCEN's CDD Rule, effective since 2018, requires covered financial institutions to identify and verify the identity of beneficial owners of legal entity customers. A graph model that maps ownership hierarchies is the most practical way to meet that requirement when ownership chains run three or four levels deep.

FATF's 2021 guidance on new technologies identifies network and graph analysis as a good practice for detecting complex money laundering typologies, including trade-based laundering, layering through shell structures, and mule account networks.

Why this matters

False positive rates in rule-based AML monitoring regularly exceed 95%. That means analysts spend nearly all their time reviewing legitimate activity. Graph risk signals help prioritize the alert queue by surfacing accounts connected to confirmed suspicious activity, even if the account's own transactions haven't yet triggered a rule threshold.

For mule account detection, graph analytics is close to essential. Mules are recruited precisely because they're low-risk individuals with clean accounts. Their individual transaction history looks unremarkable. What gives them away is their position in the network: they receive funds from a known bad actor or send funds toward a high-risk destination through a chain of two or three intermediate accounts. You can't see that in a single-account view.

Trade-based money laundering is another area where network analysis outperforms rules. TBML schemes involve trade counterparties, invoice manipulation, and correspondent banking chains. The suspicious activity is in the relationship between the importer, the exporter, the freight forwarder, and the financing bank. Graph analytics links those entities and flags anomalies in the network, where a rule-based system looking at a single wire transfer sees nothing unusual.

Enforcement actions have made the stakes concrete. The Department of Justice's 2024 action against TD Bank resulted in a $3 billion penalty and described systemic failures to detect organized money laundering networks operating through the institution. When a bank fails an AML exam, examiners increasingly cite failure to identify related-account networks as a specific control gap, not just generic monitoring weaknesses.

Customer risk ratings need to account for network exposure, not just individual account history. If a bank refreshes customer risk ratings on a periodic schedule without incorporating network signals, a customer's rating can stay low even as their first-degree connections are generating SARs. Graph-informed risk scoring feeds directly into perpetual KYC programs because network changes, not just account-level events, should trigger re-evaluation.

AI-based transaction monitoring and graph analytics are complementary. Machine learning models trained on transaction features identify anomalous individual transactions. Graph analytics identifies anomalous network structures. A mature AML program uses both signals and routes them into the same case management workflow.

The difference between CDD and EDD matters here too. Enhanced due diligence for high-risk customers typically includes beneficial ownership research, source of wealth verification, and adverse media screening. Graph analytics surfaces unexpected connections before an analyst manually researches them, which cuts the time EDD takes on complex corporate customers from days to hours.

FinCEN's definition of suspicious activity encompasses transactions that involve funds from illegal activity or are designed to evade reporting requirements. Structuring across multiple accounts and layering through shell entities are canonical examples of that evasion. Graph analytics is the detection mechanism most directly calibrated to catch those patterns.

Related questions

• What percentage of AML alerts are false positives?
• How do mule accounts get detected?
• Can AI be used for AML transaction monitoring?
• What is a beneficial owner?
• What is trade-based money laundering?

Related concepts and regulations

• How does FinCEN define suspicious activity?
• What is the difference between CDD and EDD?
• What is perpetual KYC?
• What happens when a bank fails an AML exam?
• How often should customer risk ratings be refreshed?