AML Compliance: Automating Without Losing Control

There's a comfortable belief in compliance: that automating is risky and that the safe path is manual review. In LATAM, the regulator just turned that belief on its head: now it fines you for not automating.

That's not our interpretation. In 2024, Mexico's National Banking and Securities Commission imposed close to 800 sanctions related to money-laundering prevention, totaling 216.2 million pesos—162% more than the year before, as Expansión reported. One of the causes of those sanctions? Lacking automated systems to detect unusual transactions. The regulator's message couldn't be clearer: manual review is no longer enough, and the absence of automation is, in itself, a violation.

The framework, without unnecessary jargon

In Mexico, AML rules under the Anti-Money-Laundering Law and the CNBV's provisions require institutions to have automated systems that detect and monitor transactions, and to keep client identification information for at least ten years. It isn't a best-practice recommendation; it's an obligation.

In Colombia, SARLAFT lives in the Superintendencia Financiera's Basic Legal Circular, whose most recent version is from 2025. And here's the nuance that gives this article its title. That same regulator, in External Circular 010 of 2025, prohibited the automatic blocking of users for criminal records and required case-by-case evaluation. In other words: the Colombian regulator wants automation to detect, but demands human judgment to decide. The decision to onboard a client or not, the rule says, cannot be delegated.

That's the balance. It isn't "automate or control." It's automate in order to control well.

Why manual review no longer holds

The problem with the old approach isn't just that it's slow. It's that it generates noise that buries the signal. In monitoring systems based on rigid rules, between 90 and 95% of alerts are false positives—a figure the industry, citing analysis from firms like PwC, repeats with resignation. Think about it: your compliance team spends the vast majority of its time dismissing alarms that were nothing, while the transaction that did matter slips by unnoticed in the noise.

And when what matters slips by, the bill is brutal. In October 2024, TD Bank pleaded guilty and agreed to pay around $3 billion in penalties for anti-money-laundering compliance failures—the largest penalty ever imposed under the U.S. Bank Secrecy Act, according to the Department of Justice. Globally, the cost of complying with financial-crime regulation tops $200 billion a year, according to LexisNexis Risk Solutions (an industry vendor), and it keeps rising for nearly every institution. Compliance done badly is expensive on both ends: from fines when it fails and from operating cost when it's done by sheer human hours.

What smart automation changes

Modern automation isn't "more rules." It's analytics and models that learn to tell a customer's normal behavior from the genuinely anomalous. The use of artificial intelligence and machine learning in AML monitoring has grown sharply across the industry, from a little over six in ten institutions toward adoption near nine in ten. The measurable result? Conservative estimates from firms like EY point to cutting false positives significantly. That's your team's time given back to what actually matters.

And real-time monitoring changes the moment of truth: instead of catching a suspicious pattern in the next day's report, you see it as it happens, with room to act.

Where your core comes in: the raw material

Here's the point generic compliance articles forget. All this automation is only as good as the data that feeds it. And that data lives in your core. Quality monitoring needs the transaction in real time, not yesterday's statement. The customer risk score, defined at onboarding with know-your-customer data, has to live integrated into the core to be applied consistently and auditably across the whole base. If your core delivers data late, fragmented, or in nightly batches, no AI engine, however good, will detect in time.

A legacy core turns compliance into an uphill fight: scattered data, monitoring tied to static rules, and even so, the risk of a fine for not automating. A modern core does the opposite: it delivers live transactional data, integrates risk scoring, and leaves an auditable trail of every decision—automated or human. Compliance stops being a patch and becomes a property of the system.

How we see it at WAU

At WAU we design cores where AML compliance isn't a module bolted on at the end, but part of the architecture: real-time transactional data for detection, integrated risk scoring, and full traceability so every automated decision keeps the human control and explainability the regulator demands. Automate detection without losing judgment: that's the point.

If you need to close an AML gap and prefer to do it by modernizing the foundation rather than adding another isolated system, let's talk. We'll help you align compliance and architecture. 👉 Book a conversation with our team.

Sources

• Expansión — Mexico's CNBV imposes 216.2 million pesos in fines for AML prevention deficiencies (Mar 2025)

• Holland & Knight — Access to financial products in Colombia for clients with criminal records: SFC External Circular 010 of 2025 (Sep 2025)

• U.S. Department of Justice — TD Bank pleads guilty to Bank Secrecy Act and money-laundering conspiracy violations in $1.8B resolution (Oct 2024)

• LexisNexis Risk Solutions (vendor) — Global financial-crime compliance costs total more than $206 billion (Sep 2023)