- 95–99% of AML alerts are false positives in most institutions
- Root causes: poorly calibrated rules, insufficient customer context, no risk segmentation
- Fix: risk-based rule tuning, customer segmentation, contextual enrichment
- AI reduces false positives 40–70% while improving true positive detection
Between 95% and 99% of all AML transaction monitoring alerts are false positives. Each one requires analyst time to investigate and dismiss. A mid-sized team processing 1,000 alerts per month at 20 minutes each loses over 330 person-hours monthly to noise. Worse: constant false alarms cause alert fatigue that increases the probability of missing genuine suspicious activity.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
Why false positive rates are so high
Rules calibrated for worst-case scenarios
Most rules were designed conservatively — tuned to catch every possible instance of a pattern rather than only genuinely suspicious ones. A rule that flags all transactions above $10,000 from international sources will catch suspicious activity but also flags every legitimate international payroll run, supplier payment, and intercompany transfer.
Insufficient customer context
A rule firing in isolation, without customer context, generates far more false positives than the same rule evaluated against a rich customer profile. A $50,000 transfer is unusual for a sole trader but completely normal for a law firm managing client funds.
No risk segmentation
Applying the same rules to all customers regardless of risk profile guarantees high false positives for low-risk customers. A verified, long-tenured domestic retail customer should have different monitoring thresholds than a newly onboarded offshore entity.
Practical strategies
1. Risk-based rule calibration
Analyse your historical alert data. For each rule, calculate the true positive rate — what percentage led to a SAR or genuine escalation? Rules below 0.5% true positive rate are candidates for threshold adjustment or retirement. Tune based on actual outcomes, not theoretical scenarios.
2. Customer risk segmentation
Create risk tiers with different monitoring rules. Your highest-risk clients (PEPs, high-risk jurisdictions, complex structures) warrant sensitive rules with lower thresholds. Standard-risk clients can have higher thresholds that reduce noise without increasing real risk.
3. Contextual enrichment
Enrich alerts with customer context before they reach an analyst. Showing the customer's risk rating, typical transaction patterns, recent EDD status and prior alerts alongside the new alert dramatically reduces investigation time and improves decision quality.
4. Scenario-based monitoring
Require multiple indicators to fire simultaneously rather than single thresholds. A scenario that triggers only when transaction amount AND unusual counterparty AND time-of-day AND deviation from customer baseline all occur together is far more precise than any single rule.
5. AI-assisted prioritisation
ML models trained on your historical data can score alerts by true positive probability, letting analysts focus first on highest-likelihood cases. This does not replace human review but dramatically improves allocation of analyst time.
Regulatory position: FATF Guidance on Risk-Based Approach explicitly supports tuning rules to reduce ineffective alerts. What regulators do not accept is reducing monitoring without demonstrating that genuine suspicious activity detection is maintained or improved.
See also: Best AML Software 2026 — SAR Filing Guide
Frequently Asked Questions
Industry studies consistently report 95-99%. This means for every 100 alerts, only 1-5 relate to genuinely suspicious activity. The rate varies by institution type, monitoring sophistication and rule calibration.
Yes, if done correctly with documentation. Regulators support risk-based calibration. The key requirement is demonstrating that genuine suspicious activity detection is not reduced. Document the rationale, test before implementing, and monitor outcomes.
Rule-based monitoring fires alerts when a transaction matches a defined criterion. AI/ML-based monitoring analyses patterns across many variables simultaneously, learning from historical outcomes to score risk probability. AI typically reduces false positives significantly while improving true positive detection.
Maintain a model risk management log recording: the change made, the rationale (data analysis supporting it), the expected outcome, and post-implementation performance metrics. Regulators want to see data-driven changes with monitored outcomes.
Initial threshold analysis typically takes 2-4 weeks. Implementing changes and observing results takes 1-3 months. Ongoing tuning should be a quarterly or semi-annual process.
HubSecure provides contextual enrichment of client profiles that helps analysts evaluate alerts faster. Risk segmentation built into onboarding means monitoring rules can be calibrated at the right level for each client's actual risk profile.
See HubSecure in action
Join compliance teams across Europe replacing spreadsheets with a platform built for regulated work.
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.