What is the difference between a true positive and a false positive?
Quick answer
A true positive is an AML alert on genuinely suspicious activity that merits investigation and, where warranted, a SAR filing. A false positive is an alert on legitimate activity that analysts review and dismiss. In practice, false positives account for 90-95% of all AML transaction monitoring alerts. ---
The full answer
In AML transaction monitoring, every alert resolves to one of four outcomes:
- True positive (TP): The alert fired on actual suspicious activity. The analyst investigates, documents findings, and, where circumstances warrant, files a Suspicious Activity Report.
- False positive (FP): The alert fired on legitimate activity. The analyst investigates, finds nothing suspicious, documents the rationale, and closes the alert.
- False negative (FN): Genuinely suspicious activity that produced no alert. The system missed it. This is the worst outcome from a regulatory standpoint.
- True negative (TN): Legitimate activity that correctly produced no alert. The system working as intended.
The ratio of false positives to true positives is the structural problem in AML today. LexisNexis Risk Solutions' True Cost of Financial Crime research consistently puts false positive rates at 90-95% across financial institutions. That's not a quirk of any one bank. It's what happens when rules-based monitoring systems are built to cast wide nets with minimal segmentation.
Both error types carry regulatory weight. A false positive still requires documented disposition. Under FinCEN's BSA requirements, banks must maintain records of every alert worked, the analyst's findings, and the decision. Examiners review these records during AML exams. A pattern of poorly documented false positive closures is itself a finding.
The SAR filing clock is specific. Per 31 CFR § 1020.320, depository institutions must file within 30 days of detecting suspicious activity, or 60 days if no suspect can be identified. A true positive miscoded as a false positive and closed without escalation is a missed SAR. Find enough of those in an exam and you're looking at a Matter Requiring Attention, a formal agreement, or worse.
The FATF's Risk-Based Approach Guidance for the Banking Sector addresses both error types directly: excessive false positives are a risk management failure because they divert analyst capacity away from genuine threats. Banks that optimize only for catching everything, at the cost of alert accuracy, end up with teams spending the vast majority of their time on dead-end investigations.
For a deeper look at where that 90-95% figure comes from and how banks benchmark it, see what percentage of AML alerts are false positives?
Why this matters
The false positive problem has a direct capacity cost. If a team is running 10,000 alerts per month at a 95% false positive rate, analysts are working through 9,500 dead-end investigations every month. The 500 true positives, the ones that should be getting serious scrutiny and potentially becoming SARs, get less time. Investigations are rushed. Documentation is thin.
That's not just inefficient. It creates regulatory exposure. How much does AML compliance cost a mid-market bank? covers where those costs actually land across the compliance function.
False negatives carry a different kind of cost. When a bank misses genuine suspicious activity, the enforcement consequences can include:
- Cease and desist orders
- Civil money penalties (the OCC issued a $400 million penalty against Citibank in October 2020 for AML risk management deficiencies)
- A monitorship imposed by regulators
- Criminal referrals in the most severe cases
What happens when a bank fails an AML exam? covers the enforcement progression in detail.
The precision-recall tradeoff is real and there's no free lunch. You can lower alert thresholds until virtually everything fires, which catches more true positives but floods analysts with noise. Or you tune for precision, reduce the volume, and accept some missed signals. Good AML programs actively manage this balance, track both rates over time, and document their methodology for examiners. Can AI be used for AML transaction monitoring? covers how modern systems handle that tradeoff with behavioral baselines and network analysis.
High-risk patterns like mule accounts are particularly prone to generating false positives in rules-based systems because the individual transactions can look superficially normal. How do mule accounts get detected? explains what behavioral signals actually distinguish them from legitimate activity.
The customer risk rating link is direct. A customer flagged as high-risk under Enhanced Due Diligence should have lower alert thresholds, which initially means more false positives, but produces better true positive rates as the model refines. What is the difference between CDD and EDD? explains when EDD applies and what it changes.
When a true positive is confirmed and escalation is appropriate, the procedural obligations follow quickly. Who files a SAR: the MLRO or the compliance officer? and how long do banks have to file a SAR? cover what happens next.
Related questions
- What percentage of AML alerts are false positives?
- Can AI be used for AML transaction monitoring?
- How does FinCEN define suspicious activity?
- How do mule accounts get detected?
- What happens when a bank fails an AML exam?
Related concepts and regulations
- Transaction Monitoring
- Suspicious Activity Report (SAR)
- Bank Secrecy Act (BSA)
- Risk-Based Approach to AML
- Model Risk Management in Banking