Why Rule-Based AML Is Failing & How an Ensemble AI Approach Fixes It

As someone who’s spent years working with banks on the front lines of AML compliance, I’ve seen firsthand how money laundering tactics continue to evolve—often faster than the systems designed to stop them. But what we’re seeing now marks a turning point.

Criminals are no longer just exploiting gaps in rules or system latency—they’re using AI to actively defeat AML defenses. From training money mule accounts to mimic legitimate customer behavior, to automating transaction flows that blend into the noise, it’s clear that traditional tools alone are no longer enough.

The UK’s 2025 National Risk Assessment of Money Laundering and Terrorist Financing, its first AML/CFT risk review in five years, confirms what many of us in the industry have already observed. The report warns that AI can be used by bad actors to evade behavioral monitoring, flood institutions with low-risk accounts, and disguise illicit activity with normal-looking transactions. But it also calls on institutions to fight back with AI-based AML systems—tools that can extract insights from complex data, reduce false positives, and uncover sophisticated laundering patterns.

At DataVisor, we believe the right path forward isn’t about replacing rules—it’s about augmenting them. That’s why we’ve developed an Ensemble AML Strategy that combines the transparency of rule-based systems with the adaptability of machine learning. Using AI-powered rule tuning, unsupervised machine learning (UML) to detect unknown typologies, and supervised models to prioritize real threats, we help institutions modernize without losing the control and explainability regulators require.

The threats are getting smarter. Our defenses have to be smarter too.

The Status Quo Is Broken: Why Rule-Based AML Alone Fails

For decades, rule-based monitoring has been the foundation of AML programs. And to be clear—it still plays an essential role. Rules are deterministic, transparent, and easy to explain to regulators. They codify known typologies, like structuring or large-value transactions, and they offer clear audit trails when compliance teams are under review.

But in today’s environment, rules alone are noisy and reactive.

Across the industry, it’s not uncommon to see false positive rates exceeding 95%. That means analysts spend most of their time chasing down alerts that turn out to be benign, while truly suspicious activity can slip through undetected. The net effect is not just operational inefficiency—it’s a widening gap between what our systems flag and what actually poses risk.

The gap has only grown with the rise of AI-enabled mule accounts and other sophisticated evasion tactics. Criminal networks can now train AI models to simulate normal customer profiles, maintain low-risk transaction patterns, and diversify device or IP usage—all designed to stay under the radar of static rule sets. These aren’t crude one-off attempts; they’re scalable, adaptive operations that can adjust faster than a manual rules review cycle.

The UK’s 2025 National Risk Assessment makes the risk crystal clear: static rules are no match for adaptive AI-driven crime rings. Once a laundering tactic is coded into a rule, it’s often already obsolete. By the time thresholds are tuned, the behavior has morphed into something new.

If we want to close this gap, AML detection can’t just be reactive—it has to be adaptive. That’s where ensemble strategies, integrating AI alongside rules, can dramatically change the game.

What is the Ensemble Approach? A Smarter Way Forward.

If rule-only AML programs are like using a single lock on your front door, the ensemble approach is a layered security system—combining locks, cameras, alarms, and motion sensors, all working together. Each layer has its own strengths, and when orchestrated, they provide far better protection than any single mechanism on its own.

At DataVisor, the ensemble approach brings together three core elements:

1. Rules powered by AI Agents – Retain the transparency and auditability regulators demand, while using AI to automatically fine-tune thresholds and logic for better performance and fewer false positives.
   
   
2. Unsupervised Machine Learning (UML) – Continuously scans for unknown or emerging patterns, detecting coordinated activity and hidden networks that static rules miss.
   
   
3. Supervised Machine Learning (SML) – Learns from confirmed suspicious activity and UML discoveries to risk-score alerts, prioritize high-value cases, and auto-disposition low-risk ones.
   
   

Why is the Ensemble Approach the Future of AML?

We’ve seen this strategy cut false positives by double digits, uncover entire mule networks before losses occurred, and free thousands of analyst hours each year. More importantly, it positions institutions not just to keep up, but to stay ahead.

The benefits of orchestrating these layers are significant:

• Faster, more accurate detection – Identify both known threats and entirely new typologies in near real time.
  
  
• Fewer false positives – Reduce the noise that clogs investigation queues without sacrificing coverage.
  
  
• Regulatory confidence – Maintain explainability at every layer, from human-readable rules to interpretable ML outputs.
  
  
• Operational efficiency – Free analysts from chasing low-risk alerts so they can focus on the cases that matter most.
  
  
• Future-proofing – Continuously adapt detection strategies to match evolving criminal tactics, including AI-powered evasion techniques.
  
  

In short, the ensemble approach doesn’t replace rules—it makes them part of a dynamic, self-improving detection strategy that can keep pace with a threat landscape that changes by the day.
‍

How does the Ensemble Approach Work? A Layered Defense in Action

When it comes to AML, no single detection method can do it all. Criminal tactics are too varied, and the stakes are too high, to rely on a single lens. That’s why DataVisor’s ensemble approach is built as a layered defense architecture, where each component plays a distinct but complementary role:

1. Rules Powered by AI Agents
   
   
   • Role: The first-pass filter for speed and regulatory certainty.
     
   • Advantage: Retains the transparency and auditability regulators demand, while AI agents provide data-based recommendations to keep thresholds and logic optimized.
     
   • Impact: Fewer false positives, faster tuning cycles, and ongoing alignment with compliance frameworks.
     
     
2. Unsupervised Machine Learning (UML) + Knowledge Graph
   
   
   • Role: The discovery engine for unknown or emerging threats.
     
   • Advantage: Detects coordinated activity, hidden relationships, and typologies before they trigger traditional alerts.
     
   • Impact: Early disruption of mule networks and sophisticated laundering schemes—before the criminals transact.
     
     
3. Supervised Machine Learning (SML)
   
   
   • Role: The triage and optimization layer.
     
   • Advantage: Learns from historical and UML proxy labels to risk-score alerts, auto-disposition low-risk cases, and identify underperforming rules.
     
   • Impact: Higher analyst productivity, fewer false positives, and continuous improvement in detection accuracy.
     

What makes this powerful is the orchestration—each layer feeds and refines the others:

• UML discoveries become proxy labels for SML training.
  
• SML outcomes highlight which rules are still adding value and which can be retired.
  
• AI-powered rule tuning keeps the baseline detection framework sharp and adaptive.
  
  

The result is an AML program that is:

• Adaptive – Continuously learns and improves with each investigation outcome.
  
• Accurate – Detects both known and unknown threats with fewer false positives.
  
• Explainable – Delivers regulator-ready transparency at every stage.
  
• Efficient – Frees up analyst time for high-impact investigations.
  
• Resilient – Can evolve alongside, and ahead of, AI-enabled criminal tactics.
  
  

In today’s environment—where the UK’s 2025 National Risk Assessment warns of AI being used to evade detection—the ensemble approach isn’t just a competitive advantage. It’s becoming a compliance necessity.
‍

A Deeper Look Into Each of The 3 Elements of The Ensemble Approach: Rules, UML, SML

Rules: The Backbone of AML—Now Smarter and Self-Improving

In every AML program I’ve worked with, rules are the backbone—and for good reason. They offer immediate clarity: every alert ties directly to a documented condition. They align with regulatory expectations and provide the transparency auditors demand. And in many cases, they can be adjusted quickly to respond to known risks like sanctioned entities, high-risk jurisdictions, or suspicious transaction structuring.

This transparency and auditability are non-negotiable. A well-designed rules framework ensures your AML program can clearly demonstrate compliance, withstand audits, and provide defensible logic for why a case was flagged.

That said, rules also have inherent limitations. Static thresholds struggle to adapt to changing behaviors, and they’re prone to producing a flood of false positives—especially when criminal activity is subtle, distributed, or deliberately designed to mimic normal behavior. Tuning these rules manually can be slow, labor-intensive, and reactive—often leaving institutions one step behind.

That’s where DataVisor’s AI Rule Tuning Agent changes the equation.
Instead of combing through historical alerts and guessing at better thresholds, the AI agent simulates multiple variations of a rule in the background, tests them on real historical data, and surfaces data-driven recommendations for improvement. Analysts can see the projected impact—whether it’s a drop in false positives, an improvement in true positive capture, or both—before implementing any changes.

This approach preserves full explainability while giving compliance teams a powerful accelerator for continuous improvement. In one client deployment, AI-powered tuning reduced false positives by over 30% without compromising coverage, freeing hundreds of analyst hours each year.

Rules will always be the first-pass filter in AML, but with AI agents at their side, they can evolve continuously, keeping pace with emerging risks instead of lagging behind them.

Unsupervised Machine Learning: Seeing What Rules Can’t

If rules are the first-pass filter in AML, unsupervised machine learning (UML) is the deep scanner—continuously looking for hidden, coordinated, or entirely new patterns of suspicious behavior that no one has documented yet.

Unlike supervised models, UML doesn’t need pre-labeled examples of “good” or “bad” activity to work. Instead, it builds behavioral baselines across accounts, devices, and transactions, then identifies outliers and unusual clusters that don’t fit the norm. This makes it particularly effective at detecting novel typologies, emerging threats, and coordinated networks—even when each individual account or transaction looks harmless on its own.

For example, in one investigation, our UML models identified dozens of retail accounts that appeared perfectly normal in isolation. But when analyzed as a group, the patterns emerged:

• All were opened within a three-month window.
  
• Many shared disposable email domains and patterned prefixes.
  
• Several listed the same employer and reported near-identical incomes.
  
• Device and IP overlaps revealed behind-the-scenes connections.
  
  

By linking these accounts using UML—and enriching the picture with Knowledge Graph visualization—we uncovered a coordinated money mule network months before traditional rules would have caught it. Even more importantly, this early warning allowed the institution to hold transactions before criminals transact.

UML also plays a critical role in the ensemble feedback loop:

• Confirmed clusters become high-quality proxy labels that feed supervised models where human SAR labeling is sparse or inconsistent
  
• The visual and actionable maps generated through Knowledge Graph give analysts a faster, more intuitive way to understand the relationships within a network and close cases.
  
  

The result is a shift from reactive detection to proactive disruption—spotting laundering rings and fraud rings before they’ve had a chance to move funds or adapt their methods.

Supervised Machine Learning: Prioritizing What Matters

If rules form the backbone and UML is the scout spotting threats on the horizon, supervised machine learning (SML) is the triage—helping compliance teams focus their energy on the alerts that truly matter.

By learning the patterns and combinations of signals that have historically indicated laundering or other illicit behavior, SML can risk-score each alert in real time. This score typically ranges from 0 to 1, indicating the likelihood that the activity is truly suspicious.

The practical benefits are immediate:

• Alert prioritization: High-risk alerts move to the top of the queue, so analysts tackle the most critical cases first.
  
• Auto-disposition of low-risk alerts: Cases with exceptionally low risk scores can be automatically closed—preserving a full audit trail—freeing analysts from hours of unnecessary review.
  
• Dynamic risk tiers: Customers are grouped by actual observed behavior rather than arbitrary thresholds, improving the accuracy of ongoing CDD and EDD workflows.
  
• Rule optimization and retirement: SML can reveal when certain rules no longer add unique value, allowing for safe decommissioning without sacrificing coverage.
  
  

One of my favorite examples comes from a client struggling with mule detection. They had five dedicated mule detection rules generating 1,000 alerts a month—with a 90% false positive rate. By introducing a targeted SML model, they maintained all 100 true positives while reducing total alert volume by 30%, eliminating 3,600 false positives annually and saving roughly 600 analyst hours a year.

The best part? These gains didn’t come at the expense of explainability. Every SML decision comes with explanations—showing exactly which factors influenced the score—so compliance teams can maintain full transparency with regulators and internal governance.

In the ensemble approach, SML ties it all together: it absorbs insights from both rules and UML, sharpens detection precision, and ensures that human attention is spent where it will make the most impact.
‍

Conclusion: Matching AI with AI in the Fight Against Financial Crime

Criminals are already using AI to outpace AML defenses, and static, rules-only programs will not hold the line. The only way to stay ahead is to adopt technology that can learn, adapt, and respond as quickly as the threats evolve.

That’s exactly what the ensemble approach delivers. By combining the transparency of rules, the discovery power of unsupervised machine learning, and the precision of supervised models, we can create AML programs that are smarter, faster, and more resilient than anything criminals are building. And with AI agents recommending rules for optimization, compliance teams can meet regulatory demands while reclaiming time and resources.

In the past, AML has often been reactive—catching yesterday’s patterns tomorrow. With an ensemble strategy, it becomes proactive, even predictive, giving financial institutions the ability to disrupt money laundering before it’s completed, not just after it’s detected.

If your institution is ready to move beyond the rules and build an AML program that stays ahead of an AI-enabled threat landscape, let’s talk. Together, we can cut false positives, boost detection accuracy, and future-proof your compliance strategy.

Request a Demo – See how the ensemble approach works in action.