AML Transaction Monitoring at an Indian Public-Sector Bank — 71% Alert Volume Reduction, RBI-Audit Clean
Compliance Monitor + Anomaly Detector replacing a legacy AML engine that was generating 18,000 alerts a day with 96% false positives.
The challenge
The bank — one of India's largest public-sector banks with over 5,000 branches and 240 million customers — was operating an AML transaction-monitoring system that had become unmanageable. The legacy engine, deployed in 2015 and minimally updated since, was generating approximately 18,000 alerts per day across the bank's retail and corporate portfolios. The AML operations team — 340 analysts working across three centres — was triaging this volume by aggressively closing low-amount alerts without investigation, which the RBI had flagged in its 2023 inspection.
The true-positive rate on the alerts that were being investigated was approximately 2.3%, meaning that for every hundred alerts an analyst worked, two to three were genuine suspicious transactions. The bank's STR (Suspicious Transaction Report) filing volume was below the peer-bank median, which the RBI had specifically called out as a concern. The bank's CCO was facing a regulatory commitment to improve both the quality of investigations and the proportion of alerts being properly worked.
The constraints were stringent. RBI requirements meant all transaction data and customer PII had to remain on-premises in India. The bank's existing AML engine was deeply integrated with the core banking platform (Finacle), the trade-finance system, the SWIFT messaging gateway and the cards-processing host — meaning a wholesale replacement would have been a multi-year programme that the CCO did not have time for. The bank had also been quoted a 30-month transformation programme by a Big-4 consulting firm and had concluded it was not financially viable.
The approach
MindMap proposed an augmentation strategy rather than a replacement. The legacy AML engine would continue to generate the primary alert stream, but every alert would pass through a new triage layer — built on Compliance Monitor (Cm) and Anomaly Detector (Ad) — that would score the alert for likely true-positive probability and either auto-close clear false positives, surface the high-confidence suspicious cases with rich context for analyst review, or route the borderline cases for standard investigation.
Phase one was the labelled-data build. We ingested four years of historical alerts, four years of investigation outcomes (the analyst's final disposition), and the full set of filed STRs. Approximately 14 million labelled alert records were used to train the triage model. We also ingested the bank's customer KYC data, transaction history, RFI (Request for Information) responses to correspondent banks, and the open-source sanctions and PEP datasets the bank already subscribed to.
Phase two built the triage model. It is a stacked ensemble: a gradient-boosted tree for the structured features (alert type, amount, frequency, customer risk band, account age, channel mix), a graph neural network for the transaction-network features (counterparty risk, fund-flow pattern, network distance to known high-risk entities), and an LLM-based reasoning layer (Llama 3.1 70B fine-tuned on the bank's STR narrative corpus) that generates the structured case narrative for analyst review.
Phase three was the analyst-workflow rebuild. The legacy AML engine's alert queue was replaced by a new case-management UI that surfaces the model's confidence, the narrative explanation, the relevant transaction network visualisation, and a checklist of the standard investigation steps. Analysts can confirm, escalate or dismiss each case with one click, with the model's prediction logged as a feature for continuous retraining.
The pre-built building blocks
Rather than commission a ground-up build, the engagement leaned on MindMap's pre-built accelerator library — production-tested components that compress what would otherwise be a six-to-nine-month build into weeks.
Compliance Monitor
AML triage scoring and analyst workflow
Anomaly Detector
Behavioural and network anomaly features
Sovereign LLM Platform
On-prem Llama 3.1 serving for case narrative generation
Regulatory Reporter
STR drafting and RBI filing automation
The architecture
The entire stack runs on the bank's private cloud inside its primary data centre in Mumbai, with active-active failover to a secondary site in Hyderabad. The bank's RBI-mandated data-residency posture is preserved: no transaction data, no customer PII, no model artefact leaves the country.
The legacy AML engine continues to operate unchanged — it consumes the same transaction feed it always has, applies its rule library, and emits alerts to a Kafka topic. The triage layer consumes that Kafka topic, enriches each alert with the additional features (customer history, network position, related cases), runs the ensemble scoring, and emits a triage outcome to a downstream queue that drives the analyst workflow.
The LLM serving layer runs Llama 3.1 70B-Instruct fine-tuned on the bank's STR corpus — approximately 280,000 historical STR narratives, redacted of PII for the training process. The model is served via vLLM on a cluster of sixteen H100 GPUs, sized to handle the daily alert volume peak (approximately 1,400 model calls per minute at peak). Inference is constrained to the structured JSON schema the case-management UI expects, with hallucination guardrails preventing the model from inventing facts not present in the input transaction data.
The graph features are precomputed on a 15-minute cadence using a Spark-based pipeline that maintains the bank's transaction graph (approximately 8.4 billion edges) in Neo4j. Graph features for the alerts in the current queue are updated continuously; less time-sensitive graph features (community-detection clusters, long-window centrality scores) are recomputed on a daily cadence.
All model decisions, inputs and outputs are logged to a compliance audit store with the full RBI-required retention. The bank's internal audit team has direct query access and the inspection trail that the bank's external auditors and the RBI inspectors require.
The numbers behind the story
Alert volume to the analyst team has dropped from 18,000 per day to approximately 5,200 per day, a 71% reduction. The reduction comes entirely from the triage layer auto-closing high-confidence false positives — no legacy alert is discarded silently, and every auto-close decision is logged with the model's reasoning.
True-positive rate on the alerts that reach analysts has risen from 2.3% to 9.1%. The analyst team has not been reduced; the reclaimed capacity has been redirected to deeper investigation on the higher-quality alerts and to proactive case work the team previously could not do.
STR filing volume has increased by 38%, which is the metric the RBI was most focused on. The most recent RBI inspection — the first since the augmentation went live — explicitly cited the bank's improved alert investigation quality and STR cadence as a positive in the inspection report.
Operational outcomes have improved as well: average alert investigation time has dropped from 47 minutes to 14 minutes, primarily because the case-management UI surfaces the relevant context upfront rather than requiring analysts to assemble it. Analyst attrition — which had been a chronic problem on the AML team — has fallen meaningfully, with the team's stated reason being that the work has become genuine investigation rather than alert-queue triage.
“The Big-4 told us we needed thirty months and a budget I could not get past the board. MindMap delivered in twenty-eight weeks by augmenting what we already had rather than replacing it. The RBI's last inspection report cited our AML programme as a positive — that has never happened in my time at the bank.”— Chief Compliance Officer· Indian Public-Sector Bank
Why MindMap was chosen
The bank had previously been quoted a 30-month wholesale AML engine replacement by a Big-4 firm, with a price tag the CCO concluded was not viable. The alternative was to continue with a system the RBI had explicitly flagged.
MindMap proposed an augmentation pattern — preserving the legacy engine and adding a triage layer on top — that delivered measurable RBI-relevant outcomes in 28 weeks rather than 30 months. The pattern was directly comparable to a deployment we had completed at another regulated Indian financial institution, which we walked the CCO's team through during the bid.
Our delivery team included two former RBI inspectors-turned-consultants and a former AML operations head from a peer bank. The combination of regulatory perspective and operational experience meant the bank's CCO felt the team understood the realities of running an AML programme under RBI oversight, not just the technology.
Pricing was structured around milestone delivery with a meaningful component tied to the post-go-live RBI inspection outcome. This alignment was important to the CCO, who had been burned previously by vendors whose commercial interest ended at go-live.
Related deployments
Sovereign WhatsApp Banking
ChatNext-powered WhatsApp bot deployed inside the bank's air-gapped data centre, handling balance, transfers, statements and loan applications in English and Swahili.
Cheque OCR at 99.1% Accuracy
DocuMage replaced a legacy template OCR for cheque clearing, processing 10,000 cheques per day at 99.1% field accuracy with 94% straight-through processing.
UK Challenger Bank KYC
OnboardX rebuilt the KYC pipeline with liveness, sanctions and PEP enrichment in a single STP flow, collapsing onboarding from 5 days to 4 hours.
Want an outcome like this?
Start with a 2-week AI Readiness Sprint. We deliver a prioritised use-case backlog and business case grounded in what's actually buildable with our accelerator library.