How HSBC turned its biggest compliance headache into an AI success story

There is a number that haunts every financial crime compliance team in banking, and most of them prefer not to say it out loud. It sits somewhere between 90 percent and 95 percent. That is the proportion of alerts generated by traditional anti-money laundering systems that turn out, on investigation, to be completely innocent.

For decades, the industry accepted this as an unavoidable cost of doing business. Rules-based transaction monitoring systems were blunt instruments by design - casting the widest possible net to ensure nothing slipped through. The result was compliance teams spending the overwhelming majority of their time investigating legitimate customers, calling people to ask about transactions that posed no threat whatsoever, and generating reams of investigative work that led nowhere.

At HSBC, one of the world's largest banks, that meant checking approximately 980 million transactions for signs of financial crime every single month. With legacy systems generating false positives rates in line with the industry norm, the volume of unnecessary work was staggering and the processing time required to analyze billions of transactions across millions of accounts took several weeks.

The bank knew something had to change. What happened next is one of the most instructive artificial intelligence (AI) transformation stories in financial services - not because of what the AI catches, but because of what it taught HSBC about process design.

Join the PEX Network community

Don't miss any news, updates or insider tips from PEX Network by getting them delivered to your inbox. Sign up to our newsletter and join our community of experts. 

Learn More

The problem with the old process

To understand why HSBC's transformation matters, it helps to understand exactly what was broken.

Traditional AML monitoring works through a set of manuall defines rules: if a transaction crosses a certain threshold, originates from a flagged geography, or follows a pattern associated with known laundering typologies, it triggers an alert. The system flags it and a human investigates.

The logic is sound. The execution, at scale, is catastrophic. Legacy AML tools have failed to keep up with the this, being reliant on those manually defined rules and failure rates are high, with as many as 95 percent of system-generated alerts turning out to be false positives.

That isn't a rounding error. It means that for every 100 alerts a compliance analyst investigates, 95 of them are dead ends. The analyst's expertise, judgement and time is being spent almost entirely on noise.

The downstream consequences compound. Customers get called unnecessarily, relationships are disrupted, and investigators develop alert fatigue. The actual criminals, however, slip beneath the detection thresholds, and keep operating.

This wasn't a HSBC-specific problem. It was an industry-wide process failure hiding behind the language of regulatory compliance.

As Caspar Jans, head of process management and enterprise modernisation GTM for EMEA and APAC at Celonis, told PEX Network: "The main challenge is going to be how to control [AI agents] and keep them working for you instead of against you. After all, automating a broken process just results in the same broken process, but faster." HSBC's legacy AML operation was exactly that: a broken process running faster and faster, generating more noise, consuming more human capacity, and catching proportionally less of what mattered. 

Redesigning the process around AI's actual strengths

HSBC's leadership makes a decision that most executives find difficult. Rather than layering AI onto the existing process as an accelerant, they used it as a reason to redesign the process from the ground up.

The bank partnered with Google Cloud to co-develop a new system - known internally as Dynamic Risk Assessment (DRA). They piloted it in 2021, with Google launching it to the wider financial services sector the following year.

The Dynamic Risk Assessment platform analyzes over one billion transactions monthly across millions of accounts, using advanced machine learning that continuously updates its understanding of criminal patterns and suspicious behaviors. Rather than applying fixed rules, the AI processes transaction amounts, timing patterns, geographic locations and behavioural indicators together - building a probabilistic picture of risk rather than a binary flag.

Critically, the system was designed to learn. It continuously adapts from confirmed cases of financial crime, prioritizing alerts based on real-time risk scoring. As new criminal methodologies emerge, the model updates - without requiring compliance teams to manually recode detection rules.

Crucially, the human layer was not removed, but repositioned. The analysis that follows each ai alert involves the AML-specific skills and experience of HSBC's teams, who determine the usefulness and meaning behind the AI's outputs - strategically deciding which patterns should be permitted to update the system's detection logic.

This is the process design insight that separates HSBC's approach from a single technology deployment. The AI does what it is genuinely better at than humans: identifying patterns across a billion data points simultaneously, in real time, without fatigue. The humans do what they are genuinely better than AI: exercising judgement, interpreting context, and making decisions that carry accountability.

What did the results show?

The results speak for themselves. HSBC is now finding two to four times more financial crime than previously, with much greater accuracy. And there are 60 percent fewer false positive cases - meaning far fewer unnecessary calls to customers about legitimate activity.

In other words, the compliance team is now spending its time on alerts far more likely to represent genuine threats. The noise has been cut by more than half. Investigators are working on real cases rather than chasing ghosts.

Investigation timelines have also been compressed dramatically. The processing time required to analyze billions of transactions across millions of accounts has shrunk from several weeks to just a few days - meaning that when a genuine case of financial crime is identified, the bank can act faster and provide more useful intelligence to law enforcement.

The scale of the operation makes these percentages tangible. For example, HSBC checks approximately 980 million transactions for signs of financial crime each month. A 60 percent reduction in false positives at that volume represents an enormous reclamation of investigative capacity - capacity that can now be redirected toward the cases that matter.

What does this mean for regulated industries across the board?

Money laundering is estimated to cost the global economy US$2 trillion annually, equivalent to 2-5 percent of global GDP. For banks, the compliance burden of detecting it is enormous - and the reputational and regulatory risk of failing to detect it is existential.

Historically, the two pressures pulled in opposite directions. Aggressive detection meant more false positives, more customer disruption, and more operational cost. Leaner detection meant more risk. HSBC's Dynamic Risk Assessment system demonstrates that this is a false trade-off. With the right AI architecture and the right process design around it, you can detect more crime and generate less noise simultaneously.

The broader adoption picture suggests many organizations are about to face similar inflection points in their own functions. The PEX Report 2025/26 found that 40 percent of organizations currently use AI agents to support business transformation, with 59 percent planning to invest in agentic AI in the next 12 months.

As deployment scales, the organizations that thrive will be those that - like HSBC - ask the harder question before reaching for technology; what is actually broken in the process, and how should the human role change as a result?