AI and Machine Learning in Transaction Monitoring: Where OFAC Draws the Line

The Promise and the Limits of AI

Artificial intelligence (AI) and machine learning have become buzzwords in the compliance world, but behind the hype they are genuinely transforming how we approach transaction monitoring. Financial institutions see the promise: better detection of unusual activity, fewer false positives, and faster identification of suspicious behaviour. In sanctions compliance, these technologies can help teams operate more effectively and keep pace with rising transaction volumes.

But there is a critical caveat. No matter how advanced a system becomes, regulators — especially the US Office of Foreign Assets Control (OFAC) — still expect firms to understand, explain, and control their systems. Technology does not transfer accountability.

OFAC’s Stance on Technology

OFAC’s position is straightforward: innovation that improves effectiveness is welcomed, but firms cannot outsource responsibility to machines. If a system fails to identify a sanctioned entity because a model was not tuned correctly, or because the data feeding it was incomplete, the institution — not the vendor, nor the algorithm — is held responsible.

This principle is not new. Even before AI became a hot topic, OFAC guidance stressed the importance of governance, testing, and risk-based tailoring of screening programmes. AI does not change that; it makes the need for rigour even more urgent.

The Black Box Problem

One of the greatest regulatory concerns around AI is the so-called “black box” problem. If compliance officers cannot explain why their AI flagged — or ignored — a transaction, they are on shaky ground.

This is not theoretical. Imagine a regulator asks why an alert was not raised for a transaction that, on the face of it, looks connected to a sanctioned party. If the only answer is “the algorithm did not think it was a match,” that is indefensible. Regulators expect institutions to be able to walk through the logic, data inputs, thresholds, and governance controls that influenced the system’s decision.

The Risk of AI-Washing

A related risk is “AI-washing,” where tools are marketed as machine learning–driven but are in fact rules-based engines with minor tweaks. The dangers are twofold: firms may overestimate the system’s capabilities and relax oversight, while regulators may see misrepresentation as a red flag about the firm’s overall compliance culture.

If an institution claims to use AI, it must be ready to prove it—showing how models are trained, what improvements they deliver, and how those improvements are measured. Credibility is just as important as capability.

Enforcement Lessons: When Automation Fails

Recent enforcement actions across the industry have shown how gaps in automation—whether AI-driven or not — can expose firms to significant risk.

• Configuration failures – where screening systems are not calibrated correctly, leading to missed matches.

• Data gaps – where incomplete customer or transaction information prevents accurate screening.

• Oversight weaknesses – where automated processes are left unchecked and errors go unnoticed.

Each of these examples highlights a common truth: automation is not a shield. Without proper oversight, firms remain vulnerable to regulatory scrutiny and enforcement.

Building a Defensible AI Framework

So how can institutions capture the benefits of AI while managing the risks? The answer lies in building a defensible framework grounded in governance. That means:

• Documenting models – how they are designed, what data they are trained on, and the logic behind them.

• Regular validation and back-testing – using historic data to test how systems perform against known sanctions-evasion patterns.

• Dynamic tuning – recognising that models must evolve as risks, customers, and geopolitics change.

• Auditability – ensuring clear records exist to demonstrate how a decision was reached.

AI cannot be “set and forget.” It requires continuous refinement to remain both effective and compliant.

The Role of Human Oversight

Human oversight remains the backbone of defensible compliance. Even the best AI models will encounter edge cases where the data is incomplete or the risk is ambiguous.

A hybrid approach is the most sustainable: AI can handle the bulk of low-risk, repetitive decisions, while humans focus on complex, high-stakes investigations. From a regulatory perspective, this is far more defensible than full automation without checkpoints. It also makes the best use of human expertise, reserving investigator time for the cases where their judgement adds the most value.

Data Quality as a Foundation

No AI model is stronger than its data. Clean, complete, and current datasets are the foundation for reliable performance. That means ensuring:

• Customer data is accurate and verified.

• Transaction records are complete and structured.

• Sanctions lists are updated in real time.

Firms that neglect data quality will undermine even the most advanced AI tools. Conversely, institutions that invest in high-quality data will see sharper, more reliable results.

A Global Perspective on AI in Sanctions Compliance

OFAC’s expectations do not exist in isolation. Other regulators around the world are starting to clarify their positions on AI in financial crime compliance.

• The UK’s Financial Conduct Authority (FCA) has emphasised the importance of explainability in AI systems used for compliance.

• The Monetary Authority of Singapore (MAS) has promoted “responsible AI” principles, stressing fairness, ethics, accountability, and transparency.

• The European Banking Authority (EBA) has begun consulting on AI in risk management, pointing to the need for independent validation and audit trails.

As global regulators align, the message is consistent: AI can help, but responsibility remains with the institution.

Looking Ahead: Where OFAC Might Go Next

It is expected that OFAC will refine its guidance to address AI-driven systems more directly. Future requirements could include:

• Mandatory independent validation of machine learning models.

• Stronger requirements for model transparency and explainability.

• Detailed audit trails to reconstruct how a decision was reached.

• Greater scrutiny of vendor claims around AI capabilities.

There is also potential for AI to be used proactively — not just to detect matches, but to identify emerging patterns of sanctions evasion before they trigger an alert. This forward-looking application could transform compliance, but it will demand even higher standards of governance.

The Key Takeaway

AI and machine learning can make sanctions screening smarter, faster, and more efficient. But they do not change compliance obligations. Responsibility still rests squarely with the institution.

The firms that will succeed are those that treat AI as an enhancement, not a replacement — strengthening governance, embedding human oversight, and investing in data quality. For regulators like OFAC, technology may evolve, but accountability remains timeless.