How agentic AI can change the way banks fight financial crime

| Article
Financial institutions are allocating significant resources to fighting financial crime, but they are generally making little progress. AI-based solutions may be an accelerator.

Banks are spending ever-larger sums of money on know-your-customer and anti-money-laundering (KYC/AML) activities. But there is little evidence they are getting a good return on their investments. In fact, according to Interpol, the financial industry detects only about 2 percent of global financial crime flows, despite increasing spending by up to 10 percent a year in some advanced markets between 2015 and 2022.1 A potential solution lies in agentic AI—an evolution of analytical AI technology that offers automation and productivity throughout the client life cycle (Exhibit 1).

About the authors

This article is a collaborative effort by Alexander Verhagen, Angela Luget, Olivia Conjeaud, and Vasiliki Stergiou, with Debanjan Banerjee, representing views from QuantumBlack, AI by McKinsey, and McKinsey’s Financial Services and Risk & Resilience Practices.

Much of the cost of combating financial crime relates to inefficiencies in operating models and ways of working. Indeed, banks commonly assign up to 10 to 15 percent of their full-time equivalents to KYC/AML alone.2 In parallel, automation rates are generally low amid fragmented data resources and unstandardized data sets. The result is that teams waste a lot of time on manual tasks while clients complain of tiresome interactions and lumpy processes.

Financial crime is a high-potential area for AI.

AI, specifically agentic AI, could be the antidote to KYC/AML headwinds. In this article, we map the AI landscape and examine options for implementation, highlighting how some leading institutions have deployed the technology to their advantage. Our key conclusion is that AI offers transformative potential, but only if institutions put in place the foundations and capabilities that will support an at-scale rollout.

Analytical AI, generative AI, and agentic AI: A short tutorial on financial crime use cases

AI is not, in reality, a single technology but rather an umbrella term for a range of technologies that can understand and generate language, recognize images or speech, make decisions or predictions, and learn from data over time. In the KYC/AML context, these capabilities are broadly expressed in three forms (Exhibit 2).

Three successive generations of AI development show a clear evolution in task handling.

Analytical AI

Analytical AI can complete analytical tasks faster and more efficiently than humans can. Prominent use cases include false positive detection in controls, including transaction monitoring, sanctions detection, name screening, and fraud detection. The technology can also produce more dynamic and integrated customer risk rating models, for example, by incorporating a higher number of behavioral (including transaction-based) factors. In transaction monitoring, it can sharpen accuracy and facilitate peer group comparisons and anomaly detection. And it can apply decision-tree-based models, a type of machine learning algorithm, to improve underperforming rules.

Generative AI

Generative AI (gen AI) learns from patterns in data sets and uses those learnings to generate original output. In KYC/AML, it can support human investigators across a number of use cases, including onboarding and in-life client reviews, based on analysis of structured and unstructured data. The technology can save human time in collecting and extracting data from documents, summarizing large sets of information (for example, on adverse media) about individuals and entities, and accelerating investigations, including analyzing purpose and nature statements, source of funds or wealth drafts, and corporate business activity descriptions. In transaction monitoring, gen AI is useful in producing alert conclusions and transaction analysis insights, supporting drafting of suspicious activity reports, and contributing to quality control and quality assurance (QA).

In one example of the technology at work, a universal bank developed a gen-AI-driven data extraction capability to support its KYC process. The capability was deployed to production and tested with more than 50 analysts during a four-week pilot. As part of the exercise, the bank developed a reusable gen AI architecture and a codified information extraction process for more than 50 policy questions and 300 underlying subtasks. It learned that a process-first approach, based on understanding analysts’ day-to-day work and involving the front line in design and testing, was an excellent way to operate.

In another use case, a large bank used gen AI to streamline generation of purpose and nature statements, as well as boost statement quality in line with bank guidelines. AI processed outputs from both raw customer data and manually created documents, significantly reducing handling times.

Agentic AI

Agentic AI refers to a technology that enables single or multiple agents to carry out tasks and make decisions autonomously (with human oversight). In the anti-financial-crime context, it is used for automating client onboarding activities, including KYC checks and refreshes, transaction monitoring, and sanctions or fraud investigations from alert to case closure.

Agentic AI represents a step change in AI impact potential. While analytical AI and gen AI boost compliance efficiency and effectiveness, they often do not lead to bottom-line benefits at scale. One reason is that banks largely use them to support humans (such as KYC case handlers and transaction monitoring investigators). While this frees up time and accelerates work such as investigation handling (creating 15 to 20 percent productivity uplifts), it does not fundamentally transform effectiveness and efficiency, our experience shows.

Agentic AI, by contrast, represents a paradigm shift, with banks employing a “workforce” of AI agents (or digital factories) that can collaborate to perform end-to-end tasks autonomously. In this context, humans are only required for exception handling, oversight, and coaching (Exhibit 3). Given that each human practitioner can typically “supervise” 20 or more AI agent workers, the productivity gain can be significant—anywhere from 200 to 2,000 percent, our experience shows. Banks also see a substantial positive impact on the quality and consistency of output (see sidebar, "Case study: A global bank built an agentic AI factory").

Agentic AI offers a 20-fold increase in productivity potential.

Agents or groups of agents (squads) can be applied to different but similar tasks, for example, obtaining information on market trends and customer screening for adverse media. Here are some examples of squads employed by leading institutions in the financial crime space:

  • RAG agents retrieve information from knowledge bases, vector databases, or document collections to answer queries with contextual accuracy. They handle embedding, chunking, and semantic search to provide grounded responses rather than hallucinated content. The agents can be used to read profit-and-loss statements, balance sheets, and company documentation to identify ultimate beneficial owners and key controllers.
  • Data pipeline agents monitor, orchestrate, and troubleshoot extract, transform, load (ETL) processes, conduct data quality checks, and identify pipeline failures. They can automatically retry failed tasks, issue anomaly alerts, optimize resource allocation, and perform entity resolution based on analysis of customer data from different sources.
  • Research and analysis agents gather information from multiple sources, synthesize findings, generate reports, and track emerging trends. They can monitor competitors, market conditions, or technical developments, including analyzing transactions, counterparty patterns, and alert histories.
  • Critic or validation agents review workflow outputs, suggest improvements based on human-in-the-loop instructions, and ensure quality through to completion. They are capable of performing “self-heal and rerun” in case of minor issues (for example, input format errors).

To operate effectively, squads should always be equipped with clear boundaries, defined handoff protocols, shared content management systems, and internal guardrails.

Several principles can help banks lay the foundations

Case study: A global bank built an agentic AI factory

Most financial institutions start their financial crime AI journey in either the know-your-customer (KYC) or transaction-monitoring space, reflecting the importance of those controls. One global bank was looking to reduce data processing and manual hours spent onboarding new customers, as well as move from periodic reviews to an event-driven digital customer due diligence process. It set up an agentic AI factory that encompassed an end-to-end KYC workflow—from initial KYC trigger to final memo. The bank put in place an AI agent architecture with ten agent squads. Within each squad there were four or five AI agents, including a lead agent, two or three expert-practitioner agents, and a quality assurance (QA) agent.

Each agent squad was assigned to focus on a specific step in the process and then pass the information to the next squad in the chain. Thus, one squad extracted client data from sources, including websites, annual reports, and company filings, and structured it into an initial KYC file. The second squad looked up the company in the government register, validated the country of incorporation and noted the registered shareholders and directors. A third squad performed ownership structure analysis, including identification of ultimate beneficial owners. A fourth squad performed politically exposed persons and sanctions screening on key directors and identified beneficial owners. Other squads undertook purpose and nature of relationship checks, transaction analysis checks, and adverse media screening. Finally, a stand-alone squad compiled the results into a consolidated KYC file for the human supervisor to review. The file included a summary report, a recommendation, and a detailed analysis. Depending on the results of the analysis, the agents could then choose to escalate the case further if needed.

A benefit of the agentic AI approach is that it creates a full audit trail for every agent interaction, including data used, steps followed, agent conversations, rationales for conclusions, and observations by QA, compliance, and audit agents.

Our experience working with banks to build out AI-supported KYC/AML capabilities suggests that several principles hold true irrespective of starting position. Here are a few of the most compelling:

  • Rewire the entire domain, including customer journeys from end to end (as opposed to individual use cases that automate individual steps within a journey).
  • Consider all levers available to boost straight-through processing. These might include process reengineering, workflow tools, rules-based automation for simple steps, analytical AI, gen AI tools, and agentic AI to orchestrate the end-to-end journey.
  • Give AI agents distinct roles that mirror human roles along the value chain—creating a collaborative, role-based ecosystem similar to a human team.
  • Include a QA agent in each agent squad to check that each AI agent has completed its tasks to the required standard. In the future, agentic squads may also include compliance agents, audit agents, or other agents.
  • Redesign the operating model to focus human expert practitioners on validation. Our experience suggests that manual intervention should be reserved only for the highest complexity exceptions and escalations (typically less than 15 to 20 percent of the total), as well as for coaching the AI agent workforce.
  • Deploy QA for the gen AI digital factory on a sample basis, enabling a more cost-efficient approach.

How to get started: Six powerful enablers

Building a digital factory of AI agents and using them effectively on an ongoing basis requires commitment, both from the C-suite and across operations. The ideas below reflect some of the thinking we have seen driving successful outcomes:

  • Put the right people in place. Effective implementation is contingent on KYC and risk data science skills and expertise, as well as a vision of the financial crime organization of the future. This will be predicated on identifying the required resources, including a DevOps (software development and IT operations) team, financial crime team leaders and managers, and financial crime or KYC analysts, who leverage deep domain knowledge to instruct the agent workforce, including reviewing outputs, high-end decision-making, and exception handling.
  • Be clear on the process. Leading banks benefit from a granular and streamlined view of the target KYC or financial crime handling process and potential risks such as hallucinations or toxicity. This can prevent automation of a subpar process in the risk or compliance organization. Process flows should be broken down into distinct, independent capabilities so that banks can train and optimize gen AI bots effectively.

  • Invest in technology. Technology is a vital element in the equation, with leading banks prioritizing the following:


    • a scalable and modular structure with access to foundation models, an enterprise agentic framework and agents repository, and APIs into internal or external data sources and applications
    • a business-friendly user interface to promote collaboration between AI agents and human supervisors, with institutions retaining existing KYC or financial crime infrastructure as much as possible
    • access to under-the-hood compute infrastructure (via cloud or on-prem) to enable AI models to operate at scale and (in some cases) in real time

  • Aim high on data. Data quality is a primary concern for many financial institutions, and AI can help them identify and remediate data quality issues quickly. For example, in the case of sanctions, AI can support entity resolution, which is vital to identify the same customer across different data sources. Moreover, some banks are building frameworks that use AI to automatically detect, assess, and enhance data across dimensions. Key components include the following:


    • a modular architectural setup with components that can be leveraged across processes (within KYC/AML but also in business lines such as credit)
    • a clear road map for moving unstructured data (onboarding forms, policy documents, registration documents) into the analytics infrastructure and a framework of tools and AI (including agents) that monitor, detect, and report data quality issues
  • Optimize risk management. Banks should prioritize creating a dedicated risk management framework and system for ongoing risk monitoring, including but not limited to data protection, intellectual property infringement, and hallucinations.
  • Embrace change management. A comprehensive change management approach can guide practitioners in their new roles, for example, by providing the coaching and prompting skills needed to oversee an agentic workforce. However, the process is relatively complex, and adoption typically takes about twice as long as building the technology. Thus, leading institutions take the time to put enabling pillars in place, including redesigning underlying processes, creating appropriate roles and responsibilities, adapting the organizational structure, and establishing a talent management strategy, in which employees are evaluated against adjusted targets. Other key ingredients include timely access to data, infrastructure and large language models, as well as sandboxes and (eventually) production platforms, implemented well ahead of software development gates to avoid last-mile delays. Looking forward, banks should plan carefully for future capacity needs, especially in the front office and risk function.

The experience of leading institutions suggests AI, and especially agentic AI, could be the next major innovation lever for KYC/AML. To capture benefits quickly, leading financial institutions typically start by defining a pilot perimeter—that is, a part of the customer portfolio that they can use to experiment with a digital factory. Once impact is proven, they can prepare for scaling. Our new book, Rewired: The McKinsey Guide to Outcompeting in the Age of Digital and AI, translates the hard-won lessons McKinsey has learned helping deliver these kinds of transformations at scale.

In a rapidly changing financial crime landscape, the path to impact will likely be driven by speed of adoption (fast, at-scale model learning), a tailored operating model, and continuous maintenance of the agentic AI machine. The task should not be underestimated, but leading banks have shown that successful implementation can bring significant wins, including stronger compliance, competitive impetus, and a more streamlined customer experience.

Explore a career with us
Related Articles
Holistic customer assistance through digital-first collections
Article
Holistic customer assistance through digital-first collections
Solving the KYC puzzle with straight-through processing
Article
Solving the KYC puzzle with straight-through processing
A digitally generated illustration that shows a computer screen with code and chat bubbles.
Article
The promise of generative AI for credit customer assistance