Key point is, no one truly looks at the efficacy of AML which makes it more theatre than crime-fighting tool (not that it doesn't fight crime, it just does not do so efficiently nor is it likely the best way to do so, let alone us defining broadly what crime actually is).
If these systems were re-designed from the ground up, AML procedures and policies would likely look quite different than they do today.
The problem with compliance is that it is pseudoscientific. There is no independent oversight: all regulation and tools are promoted by compliance companies selling those tools. There is no penalty for punishing innocent. There is no reasonable cost. More is always better. There is no court to complain or a channel to opt out.
It's a bit like antivirus on PCs: it is sold to you as a scareware but in practice is snakeoil not really effective against any modern virus or trojan. You stil bear the cost of your PC slowing down 25%.
Here is a good Forbes post by David Birch on the topic:
Anecdotally, I know of at least one large FI that tells auditors it's doing x, y, and z for security, when in reality their security practices are abysmal. They spend $1MM a year on a vendor product that in theory does x, y, z (though quite badly), install it on a server, and then never think about it again.
I've had important projects canceled because executives go 'oh we already have $tool this project is a waste of time'. I demonstrate that $tool hasn't been updated in a decade, has 0 users, and is completely ineffective, and how the project will address these issues. They respond 'oh we already have $tool this project is a waste of time'.
You are not buying a solution, you are buying compliance. It does not matter if problem is either hidden or removed because the outcome for the executive success is the same. Hiding usually costs less.
Yeah, it's a box ticking exercise not a finding laundered money exercise. For one, the idea of approaching AML on an organisation to organisation basis seems flawed. Like no team has the whole view, so how can you be effective.
Example, my flatmate worked at a bank doing AML looking into flagged transactions. One day they found a chain of 87 different bank accounts moving money, 1k at a time to obscure it's source. All were real people who had passed KYC. The money came in from another bank, then went out to another. So she calls up the AML teams at those banks - they found similar chains. The only reason they found it at her bank was because the chain got too big.
It's much more of a financial intelligence collection operation.
The intelligence community has access to information about every transaction with greater than $10k (lower thresholds for monetary instruments) with at least one party of the transaction identified for over 25 years.
People also miss the fact that FIU operations also often include 314(a)/(b) letters (subpoenas for financial information on specific individuals) alongside their AML operations. Same for OFAC Sanctions monitoring (obvious example is Russian customers and assets).
Key point is, no one truly looks at the efficacy of AML which makes it more theatre than crime-fighting tool (not that it doesn't fight crime, it just does not do so efficiently nor is it likely the best way to do so, let alone us defining broadly what crime actually is).
If these systems were re-designed from the ground up, AML procedures and policies would likely look quite different than they do today.