Book a Discovery Call

  Blog

Detection Isn’t Solved — Defensibility Is the Real Test

May 6, 2026

Brian Gilman, Chief Marketing Officer, ThetaRay

For more than a decade, AML transformation has focused on improving detection.

But across many US banks, detection has evolved incrementally, often through layering additional rules onto legacy systems, without consistently improving the ability to identify the most relevant or complex financial crime risk.

As a result, institutions continue to generate high volumes of alerts, while still facing blind spots in identifying meaningful or interconnected risk.

This creates a more immediate concern: whether gaps in detection and inconsistencies in decision-making already exist within the program — only becoming visible under regulatory scrutiny.

The issue is not simply operational.
It is whether institutions can confidently demonstrate that risk has been identified, assessed, and resolved in a consistent and defensible way.

Detection Doesn’t Reduce Risk — Decisions Do

An alert does not reduce risk.

Risk is reduced when:

  • An alert is investigated
  • A decision is made
  • That decision is supported by clear evidence

And increasingly, that decision must also be explained.

Regulators are not asking how many alerts were generated.
They are asking:

  • Why was this alert escalated or cleared?
  • What evidence supports that decision?
  • Is that decision consistent across similar cases?

This is where many AML programs begin to lose control — not in detection, but in how outcomes are determined.

More Alerts, More Complexity — Same Processes

As detection coverage expands, it does not simplify operations, it increases complexity.

Modern transaction monitoring surfaces:

  • Multi-layered behavioral patterns
  • Cross-border activity
  • Interconnected networks of transactions

These are exactly the types of risks regulators expect banks to identify.

But they are significantly harder to investigate.

And yet, in many institutions, investigation processes remain largely unchanged:

  • Data is gathered manually
  • Context is reconstructed across systems
  • Decisions rely heavily on individual judgment

👉 The result is a growing gap between what is detected and how consistently it can be resolved.

Automation Doesn’t Fix the Underlying Problem

In response, many institutions are introducing automation or agentic investigation layers to improve efficiency.

While these approaches can accelerate tasks, they do not address the core issue.

👉 Applying automation to low-quality or inconsistent alerts does not resolve the problem — it risks amplifying it.

If detection is not identifying the most relevant risk, and if decisioning is not structured and consistent, automation simply increases the speed at which inconsistency occurs.

Similarly, workflow-driven or RPA-based solutions can improve process efficiency, but they do not ensure consistent, risk-based decisioning or defensible outcomes.

Where AML Programs Break Down

The most critical point of failure in AML today is not detection.

It is what happens after the alert is generated.

This is where:

  • Investigations become fragmented
  • Decisions vary across analysts
  • Documentation lacks structure
  • Quality assurance introduces rework

And when regulators ask a simple question, “Why was this alert cleared or escalated?”, the answer is not always clear, consistent, or easy to defend.

This is no longer just an operational challenge. It is a source of regulatory exposure.

Regulatory Expectations Are Changing

Across the United States, regulators are placing increasing emphasis on:

  • Consistency of decision-making
  • Quality and clarity of SAR narratives
  • Strength of supporting evidence
  • Auditability of the full investigation process

Recent enforcement actions reinforce this shift.

Regulators continue to identify failures in detection, where missing risk is not acceptable, while increasingly citing weaknesses in inconsistent decision-making, insufficient documentation, and the inability to clearly explain outcomes.

From a supervisory perspective, inconsistency is not an efficiency issue. It is a control failure.

From Detection to Defensible Outcomes

What is emerging is a shift in how AML effectiveness is defined.

Historically, success was measured by how well suspicious activity could be detected.

Today, the focus is on whether institutions can carry that detection through to a clear, consistent, and defensible outcome.

This requires connecting the full lifecycle:

  • Detection must be risk-relevant, not just high-volume
  • Investigations must be structured and consistent
  • Decisions must be supported by clear evidence and reasoning
  • SARs must reflect the quality and integrity of the process

Without this alignment, increasing detection only increases pressure, not effectiveness.

The Real Risk May Already Exist

For many institutions, the risk is not just inefficiency.

It is the possibility that:

  • Meaningful risk is not being consistently identified
  • Decisions are not applied uniformly
  • Outcomes cannot be clearly defended

— and that these issues may only become visible under regulatory scrutiny.

The Shift Ahead

The next phase of AML transformation is not about detecting more.

It is about ensuring that outcomes can be delivered consistently and defended under scrutiny.

Because ultimately:

Detection identifies risk.
But regulators evaluate how you resolve it — and how well you can defend it.

See ThetaRay
in action

Book a Discovery Call