--- title: "AI Transaction Monitoring for Banks in the EU: AMLR, FATF, AI Act | Impetora" description: "How banks deploy AI transaction monitoring under the EU AML package, FATF Recommendation 10, BCBS guidance and the EU AI Act fraud-detection exception." url: https://impetora.com/answers/ai-transaction-monitoring-banks-eu locale: en datePublished: 2026-04-28 dateModified: 2026-04-28 author: Impetora --- # AI transaction monitoring for banks: regulatory map and design > Transaction monitoring is the most mature AI use case in EU banking. Rule-based systems have been in production for two decades and machine-learning supplements have been mainstream since the mid-2010s. The regulatory perimeter is the EU AML package (Regulation (EU) 2024/1624 and Directive (EU) 2024/1640), the FATF 40 Recommendations, BCBS sound-management guidance and, for the AI layer, the EU AI Act with a narrow fraud-detection exception under Annex III [1]. *Updated 2026-04-28. By Impetora.* ## What does AI transaction monitoring do? Transaction monitoring scans payment flows in near real time to detect patterns suggestive of money laundering, terrorist financing, sanctions evasion or fraud. Traditional rule engines look for threshold breaches and known typologies. AI supplements add anomaly detection, network analysis (entity-link graphs), behavioural baselining per customer segment and natural-language enrichment of unstructured payment narratives. The output is rarely a final action. It is an alert routed to a human analyst who triages, investigates and decides whether to file a Suspicious Activity Report. The bank that wires AI output directly to account freezes or SAR filings has skipped the human step that supervisors expect. ## What does the EU AML package require? Regulation (EU) 2024/1624 (AMLR), Directive (EU) 2024/1640 (AMLD6) and Regulation (EU) 2024/1620 establishing the Anti-Money Laundering Authority entered into force in 2024. AMLR Articles 16 to 19 set out customer due diligence and ongoing monitoring obligations. Article 21 covers transaction monitoring specifically: institutions must establish and maintain effective monitoring systems calibrated to their risk profile [1]. The package consolidates and tightens the EU's Anti-Money Laundering rules and centralises supervision of high-risk cross-border institutions under AMLA in Frankfurt. AI in transaction monitoring is permitted, but the institution remains accountable for false-negative rates, alert quality and timely SAR filing. ## Does the AI Act treat transaction monitoring as high-risk? Annex III 5(b) of Regulation (EU) 2024/1689 covers AI systems used to evaluate creditworthiness or establish credit scores. There is an explicit carve-out: AI systems used for the purpose of detecting financial fraud are not high-risk under that point. Pure transaction monitoring AI focused on AML, fraud and sanctions therefore sits outside the high-risk perimeter, provided it does not double as a creditworthiness scorer. This does not mean unregulated. GDPR, the AML package, banking secrecy rules, FATF Recommendation 10 and BCBS sound-management guidance all apply. The AI Act's general transparency obligations under Article 50 also apply where a customer interacts with the system directly. ## What do FATF and BCBS expect on model performance? FATF Recommendation 10 requires customer due diligence and ongoing monitoring proportionate to risk. The 2021 FATF guidance on a risk-based approach to virtual assets and the 2023 update on digital identity systems both endorse machine-learning monitoring with appropriate governance [2]. The Basel Committee on Banking Supervision's Sound Management of Risks Related to Money Laundering and Financing of Terrorism (BCBS guidelines) sets out three-lines-of-defence governance, model validation expectations and the requirement for an independent compliance function with sign-off authority over monitoring system changes. ## What does a defensible AI monitoring stack look like? Layered. Rule engine for known typologies and regulator-mandated scenarios stays as the floor. ML supplements add anomaly scoring, peer-group comparison and entity-resolution. Network analysis surfaces connected-party exposure. Each layer feeds an alert queue; the alert is the unit of human review. The model risk discipline is unchanged from credit models: independent validation, documented data lineage, performance monitoring (precision and recall against confirmed SARs), drift detection and a governance committee with sign-off. Banks that present supervisors with reproducible model cards, validation reports and tuning histories survive AML inspections; banks that present a black-box vendor system without local documentation do not. ## How does Impetora support transaction-monitoring engagements? Impetora's TRACE methodology applies the same governance discipline that bank model-risk teams expect. Trust covers the contractual and data-protection layer including DORA third-party clauses for the vendor stack. Readiness produces the workflow audit and feature documentation. Architecture covers production-grade design with logging, segregation and recoverability. Citations and Evidence covers the audit-trail layer reviewed by AMLA, national supervisors and internal audit. ## Frequently asked questions ### Is AI transaction monitoring high-risk under the EU AI Act? No. The Annex III 5(b) creditworthiness perimeter explicitly excludes AI systems used to detect financial fraud. Pure transaction monitoring sits outside the high-risk regime. AML, GDPR, banking secrecy, FATF and BCBS rules still apply. ### Can AI auto-file Suspicious Activity Reports? No. SAR filing is a regulated act requiring trained-analyst review and judgment. AI supplements alert generation and triage; the SAR itself remains a human filing. Auto-filing skips the analyst review supervisors expect and creates unmanageable false-positive risk to FIUs. ### Who is AMLA and when does direct supervision start? The Anti-Money Laundering Authority, headquartered in Frankfurt, is the new EU agency for AML supervision and FIU coordination. It begins direct supervision of selected high-risk cross-border institutions during the phased implementation of the AML package, with full operational capacity ramping through 2027 to 2028. National supervisors continue to handle the broader population. ### How do we validate an ML monitoring model? Independent validation against a labelled holdout (confirmed SARs and confirmed clean transactions), periodic re-validation on a documented cadence, drift monitoring, fairness testing where customer attributes are inputs, and a governance committee with sign-off. The validation methodology must be documented and reproducible by an external reviewer. ### Are vendor monitoring systems acceptable to supervisors? Yes if the bank holds local documentation: model logic, validation results, tuning history, alert-policy decisions and override events. A black-box vendor system without local artefacts is not acceptable. DORA Articles 28 to 30 also impose third-party contract requirements on AI vendors providing critical-function services. ## Sources cited 1. Regulation (EU) 2024/1624 (AMLR). European Union, Official Journal, 2024-05-31. https://eur-lex.europa.eu/eli/reg/2024/1624/oj 2. FATF 40 Recommendations. Financial Action Task Force, 2023-update. https://www.fatf-gafi.org/en/topics/fatf-recommendations.html 3. Regulation (EU) 2024/1689 (Artificial Intelligence Act). European Union, Official Journal, 2024-07-12. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 4. Sound management of risks related to money laundering. Basel Committee on Banking Supervision, 2020-07. https://www.bis.org/bcbs/publ/d505.htm 5. AMLA - Anti-Money Laundering Authority. European Union, 2024. https://anti-financial-crime-authority.europa.eu/