The false positive problem in anti money laundering (AML) enforcement rarely makes headlines. Yet for every criminal that AML procedures identify, they generate tens of thousands of alerts that disrupt, delay or block entirely legitimate transactions. As SEC Commissioner Hester Peirce has observed, “the sledgehammer has become the tool of choice for monitoring for financial crimes.” A new BIS paper calling for more uniform AML rules across payment instruments is well intentioned, but risks entrenching this imbalance rather than correcting it.
The paper’s core analytical framework is sound. It distinguishes between intermediated payments such as bank transfers, hosted crypto wallets and e-money, versus peer-to-peer instruments such as cash, self-hosted crypto and offline CBDC. It coins the term “waterbed effect” to describe what happens when tighter rules on one instrument push illicit activity toward less monitored alternatives, and it argues persuasively that regulators need to think across the full payment spectrum rather than instrument by instrument.
But uniformity of what, exactly, and at what cost to whom?
The proportionality gap
The paper’s EU case study illustrates the problem clearly. The AMLR introduces an EU wide €10,000 cash payment limit on the grounds that large cash transactions warrant monitoring. Yet no equivalent transaction limit exists for self-hosted cryptoasset wallets, a gap the paper identifies as a potential arbitrage incentive for malicious actors. The implied solution is to extend transaction limits to self-hosted crypto or stablecoins. But this gets the lesson backwards. Limits are a blunt instrument that inconvenience the many to marginally constrain the few. The answer to asymmetry between instruments is not to replicate the bluntness uniformly. It is to ask whether the rule we are treating as the baseline is actually fit for purpose.
More troubling is what uniform rules do to legitimate actors. AML frameworks are designed to impose costs on criminals, but the architecture of those costs is largely blind to who actually bears them. An SME trading internationally may generate high AML monitoring costs for its bank without generating sufficient fee income to cover them. The commercially rational response for the bank is to close the account. And this happens routinely. The business loses its banking relationship through no misconduct of its own. The compliance framework has produced a clean internal result and an externality that can be existential for the company concerned.
The false positive problem compounds this. Accounts get blocked. Payments are delayed for weeks. In one well documented case, a major bank’s botched implementation of a new AML process froze the accounts of hundreds of UK SMEs that traded internationally. These businesses had responded to every query, but the delay was long enough to threaten payroll and supplier relationships. Compensation amounted to £500 per affected business. The reputational harm alone dwarfed that figure many times over.
These are not edge cases. They are the daily operational reality of AML enforcement for anyone who sends money to a relative in a jurisdiction with weak AML ratings, lives or travels in such a country, or runs a business with international supply chains.
The privacy question the paper underweights
The BIS authors acknowledge that AML requirements create a privacy-integrity trade off, and they note that individuals have varying privacy preferences. This framing, while accurate, understates the nature of the problem. Enhanced due diligence can involve an extended interrogation by a compliance officer who is a complete stranger. The experience is highly invasive regardless of how carefully the resulting data is stored.
The paper notes the EU allows P2P transfers between self-hosted wallets without travel rule reporting. What it does not examine closely enough is the friction that arises at the boundary between self-hosted and hosted systems, which is precisely where most legitimate users interact with the regulatory framework. These transactions stand a high risk of triggering enhanced due diligence. That friction falls disproportionately on people with entirely lawful reasons for their payment patterns.
Enjoying this article? It’s the kind of coverage we produce regularly for Ledger Insights Pro subscribers. This one is ungated. Subscribe to get more like it.
Personal sovereignty deserves more than a footnote
There is a deeper issue the paper does not engage with because of its intentional focus. Access to a payment system is not a privilege to be granted subject to compliance review. Increasingly, it is a precondition for participation in economic life. AML rules that produce systematic exclusion, whether through debanking of SMEs, blocking of international transfers, or the chilling effect on payment instrument choice for privacy-valuing individuals, are not simply generating side effects. They are making determinations about who is entitled to transact, without due process and with limited recourse.
Too much uniformity creates a further risk the paper does not fully reckon with: if a law abiding citizen encounters a problem with one bank under a highly harmonized framework, the same logic and the same data that caused that problem may follow them across institutions. This is a distinct and underexplored dimension of the debanking problem.
A more productive direction
None of this is an argument against AML regulation. It is an argument for measuring what AML regulation actually costs, and for whom.
Two changes in approach would help substantially. First, false positive rates should be a primary metric in AML framework design and review, not an afterthought. If a regime is generating tens of thousands of false positives for every confirmed case of money laundering, that is a policy failure, not just an operational inconvenience. Mandatory impact assessments that include false positive rates, and sandbox testing of AML process changes on representative SME portfolios before full rollout, would impose accountability that is currently absent.
Second, as Commissioner Peirce has argued, far more effort should go into creative regulatory solutions. Ones that protect integrity without treating every unusual payment pattern as presumptively suspicious. The BIS paper suggests that transaction limits could be embedded by design into offline CBDC and smart contract protocols. This implies compliance by architecture, rather than compliance by interrogation. But a transaction limit hard coded into a payment instrument is still a blunt instrument. It simply moves the clumsiness upstream. The question is not where in the stack the restriction sits; it is whether blanket transaction thresholds are the right tool at all when more targeted, data informed approaches are available.
A consistent regulatory approach, as the BIS authors advocate, is a legitimate goal. But consistency in the wrong direction — uniformly invasive, uniformly blunt — will uniformly fail the people it is nominally designed to protect.
