Beyond Red Flags: Improving Financial Anomaly Detection under the Wwft

Financial Anomaly Detection is Inherently Difficult

Over the past decade, several Dutch banks, both small and large, have received penalties or concluded substantial transactions for failing to comply with anti-money laundering obligations. Penalties include €2.6 million for Bunq and €5 million for De Volksbank in 2025, whereas the transactions range from €480 million for ABN AMRO to a staggering €775 million for ING, in 2021 and 2017 respectively. Additionally, Rabobank is currently under investigation following a severe warning issued in 2021.

The enforcement (trans)actions stem from the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme). The law assigns financial institutions a clear gatekeeper role, requiring them to monitor transactions and report anomalous behaviour. In theory, this model is widely supported: banks are uniquely positioned to detect illicit financial activity at the earliest possible stage.

In practice, however, compliance has proven to be challenging. Banks find it difficult to detect the oftentimes purposefully hidden illicit patterns among the numerous legal financial transactions and related information. Problems in detection are therefore not about identifying clearly prohibited transactions, but about recognising subtle deviations from what is considered “normal”. This creates a structural problem, because said normal financial behaviour is highly diverse. Income sources, spending patterns and transaction frequency differ widely across individuals, sectors and cultures. What appears anomalous for one customer may be entirely legitimate for another.

Alerts that appear from red flags, i.e. patterns that are often seen in e.g., money laundering or human trafficking, can incorrectly indicate regular users as anomalous or suspicious. The threat of these so-called false positives are the main obstacle of modern detection systems. This raises the question: how can we in practice improve this theoretically sound regulatory system?

Structural Limitations of Current Detection Systems

In summary, the shortcomings are often framed as failures in compliance or enforcement. Yet, we must also acknowledge deeper limitations in the detection of illicit activity. 

First, despite a shifting focus to more proactive methologies, detection systems remain largely reactive in nature. For example, red flags are typically derived from historical cases, causing them to trail behind evolving schemes. Additionally, the usage of historical cases places large focus on what is known, whereas many illicit schemes remain undiscovered, both financially as well as their underlying exploitative activities such as human trafficking. These downsides all introduce certain biases into the detection schemes, which ultimately should be avoided.

Second, illicit financial activity rarely manifests at the level of an isolated individual or transaction. Money laundering schemes, for example, are often executed through coordinated group activity, rather than by a single individual. When detection focuses primarily on individual behaviour, these group-based patterns are easily missed, while benign individual deviations are disproportionately flagged from the large number of false positives.

Addressing the Limitations

We thus require a methodology that is proactively applicable, minimally biased and aimed at larger structural anomalies. 

As part of the COMCRIM project, I advocate for comparative benchmarking through my research. Specifically, I aim for benchmarking financial behaviour against what would be statistically expected. To ensure the benchmarks are as unbiased as possible, they are created using entropy. Entropy describes the uncertainty attached to an outcome, providing the 'simplest explanation' of a set of events.

Perhaps counter-intuitively, the outcome with the highest uncertainty is the one that best represents the available data, for no external assumptions are considered. Imagine a set of coin tosses: without any information on the 'weightedness' of the coin, the most unbiased expectation is a 50/50 chance between heads and tails. This is computable to be the configuration with the highest entropy, hence the configuration we are looking for.

Through this configuration, we avoid embedding additional assumptions of risk, allowing anomalies to emerge from the data naturally. This ensures the benchmarks are resilient to our predefined notions of criminal behaviour.

Suspicion, in this framework, arises through simple comparison. Large deviations between observed transaction patterns and their entropy-based benchmark indicate behaviour that is statistically unlikely, and therefore potentially anomalous. This approach is indifferent to our ever-changing knowledge of illicit activity, whereas fixed red flags can quickly become outdated.

While being an improvement, this approach still has a problematic number of false positives, especially for sparse data --- when there's little to work with, predictions are less strong. As strength is in numbers, we shift our attention from individuals to groups. The combination of several signals presents a stronger case as the probability of wrongful identification lowers, reducing the number of unsure or false cases. Additionally, this is in line with the focus on larger structural anomalies, addressing both challenges simultaneously. This itself isn't a novel idea by any means (see e.g., here, here or here), yet it compliments the benchmarking process to the fullest. Combined, this methodology tackles the aforementioned limitations.

Strengthening Financial Gatekeeping

Given the points of improvement, we have partnered with inter alia three financial institutions, who possess the earliest and most comprehensive view of transactional behaviour. Strengthening their role as gatekeeper is the straightforward choice of focus. Unbiased benchmarking, combined with a group-based approach, detection systems can become more adaptive to changing strategies while reducing unnecessary investigative pressure arising from excess false positives.

In conclusion, financial systems continue to evolve in scale and complexity. Policies to combat unlawful behaviour will increasingly depend not only on regulation and supervision, but also on the statistical methods used to interpret the increasing complexity of financial data. Investing in more robust and adaptive detection frameworks is therefore essential in ensuring that the gatekeeper role envisioned by the Wwft can function as intended.