The State of Financial Crime Model Risk Management

The fight against financial crime is increasingly waged on a digital battlefield, where banks rely on sophisticated models as their primary line of defence. From detecting money laundering to preventing fraud, banks rely on these quantitative tools to protect their customers, and the integrity of the financial system. But as these models grow in complexity and number, how effectively are we managing their inherent risks?

To answer this, the Deloitte 2025 EMEA Model Risk Management (MRM) Survey provides a detailed snapshot of the industry's progress. Conducted between July and September 2025, the survey gathers insights from 87 banks across Europe, the Middle East, and South Africa. The participants represent, roughly, an even split among large, medium, and small banks, offering a robust and balanced view of current practices across the sector.

The findings point to a growing maturity of use and governance of models in Financial Crime across the board, however a closer look at the results for Financial Crime models reveals a landscape of nuanced challenges. It is a story of progress met with new complexities, shifting the focus from whether to govern Financial Crime models to how to do so effectively. As the sophistication of both criminal threats and defensive models accelerates, the survey’s finding signal a crucial moment for organisations to ensure their governance practices are not just current, but fit for the future. The survey also reveals that while model usage and technical sophistication are accelerating, governance practices are struggling to keep pace, particularly for financial crime models.

Mind the Gap: Bringing Financial Crime Models into the Fold

The survey shows continued growth in the use of models for financial crime. This diverse arsenal includes everything from transaction monitoring and fraud detection systems to Know Your Customer (KYC), customer risk scoring, and critical sanction screening models. The data indicates that the use of transaction monitoring models saw a notable increase to 56% of banks (up from 42% in 2023). [1] Similarly, models for Anti-Money Laundering (AML) / Fraud detection / KYC are now employed by over two thirds (69%) of institutions, an increase from 60% two years prior.

This growing adoption brings the need for robust model governance into sharp focus. There is a potential governance gap, in particular vis-à-vis new regulations such as the Bank of England’s SS1/23, [2] regarding models for AML, fraud detection, and KYC: less than half the banks surveyed (44%) have brought these models into the scope of their MRM framework.

This disparity suggests that a large number of models may be operating outside formal risk management oversight. This can create a 'shadow landscape' where risks are not fully identified, measured, or mitigated. The scale of this landscape is not trivial. For banks that are validating their financial crime models, the survey shows they manage a substantial portfolio, with for example, an average of almost nine fraud prevention and detection models and 3.6 sanction screening models per institution.

As a foundational step, organisations must close this governance gap and ensure every one of these Financial Crime models is accounted for within a robust and transparent framework.

The Validation Conundrum: The Challenge of Seeing ‘Below the Line’

Once a model is integrated into the Model Risk Management (MRM) framework, a multitude of challenges emerge, with validation proving to be a particularly complex hurdle for Financial Crime models. Indeed, when banks are surveyed on their most significant validation difficulties, a substantial majority (57%) frequently cite the "difficulty measuring performance/effectiveness."

However, the complexities extend far beyond validation. Financial institutions also grapple with quality issues, evolving regulatory requirements, and limited specialised expertise.

The core problem here lies in the profound asymmetry of feedback loops. For AML and sanctions models, errors are predominantly visible only ‘above the line’. That is, validators can readily measure false positives, defined as legitimate transactions incorrectly flagged as suspicious, by analysing alert volumes and their conversion rates to suspicious activity reports.

The true challenge lies ‘below the line’ with false negatives. If a Financial Crime model fails to detect illicit activity, there is rarely any signal that an error was made. The money is laundered, the sanctioned payment goes through, and the institution remains unaware of the model's failure. This stands in stark contrast to external fraud models, where a false negative (a missed fraudulent transaction) almost always generates a clear signal: a customer complaint. This creates a natural feedback mechanism that is almost entirely absent in the AML and sanctions space. To address this challenge, practitioners turn to ‘below-the-line testing’: manually analysing (necessarily small) samples of cases that almost, but not quite, led to alerts to determine if the model threshold is properly set.

This validation conundrum is compounded by other factors cited in the survey, such as data quality issues (48%) and a lack of industry benchmarks (45%). Most critically, it is exacerbated by a pronounced expertise gap. According to the survey, only 40% of banks have dedicated MRM staff with the requisite expertise for validating Financial Crime models. Without specialist skills, it is difficult to design tests that can probe for these unseen risks, to assess below-the-line testing procedures, or to challenge a model's conceptual soundness in the absence of clear performance metrics.

Figure 1: Significant issues and challenges in the validation of FC models

Risk Tiering: A Question of Fit?

The survey reveals that a vast majority of banks (83%) apply the same model risk-tiering methodology to Financial Crime models as they do to other model types. While this ’one-size-fits-all’ approach provides a clear advantage in consistency and enterprise-wide comparability, it raises an important question: does it adequately capture the unique risk profile of financial crime models?

A more tailored tiering scheme, while more complex to implement, could better account for Financial Crime-specific factors like ethical bias, the reputational impact of a compliance failure, and the dynamic nature of criminal threats. It would allow for a more nuanced allocation of validation resources. For many institutions, however, the benefits of a simple, single, and easily understood framework for the entire model landscape currently outweigh the advantages of specialisation. Deciding on the right balance between standardisation and customisation is becoming a key strategic consideration for mature MRM functions.

The Maturity Divide

A clear theme emerging from the survey is the significant maturity divide between large institutions (with balance sheets over EUR 100 billion) and their medium- and small-sized peers. When it comes to managing the risks of Financial Crime models, size and appropriately skilled resources clearly matter.

This gap is immediately apparent in the scope of governance. While over two-thirds of large banks include their Financial Crime models within the MRM framework, the figure is just over a third for smaller banks. This maturity extends beyond simple inclusion to human capital; larger banks are far more likely to have invested in dedicated MRM staff with the relevant Financial Crime expertise needed to perform robust model validations. At some clients, we see dedicated MRM resources and Compliance teams to oversee the MRM framework responsibilities and liaise with Model Validation Teams during validations.

Nowhere is this divide more tangible than in the sheer volume of models under formal validation. The survey data shows that many medium and small banks have 15 or fewer Financial Crime models under validation, with some having none at all. In contrast, while variation exists even among the largest players, some are managing validation processes for well over 100 Financial Crime models. This dichotomy suggests that the capacity for investment is a powerful driver of MRM maturity. While large banks are scaling their governance frameworks to match their complex model landscapes, smaller institutions may face a significant resource challenge in keeping pace.

Innovating FC detection

The integration of Artificial Intelligence and Machine Learning (AI/ML) techniques is rapidly transforming the landscape of financial crime detection, moving beyond legacy limitations, rule-based systems. While these advanced models offer unparalleled capabilities in identifying complex patterns and evolving typologies, they introduce a new layer of complexity for Model Risk Management. For large banks, significant challenges in leveraging AI/ML models include technical complexity (cited by 22% of large banks), the inherent risks posed by AI/ML models themselves (20%), and the rigidity of existing processes (17%), which often struggle to accommodate these innovative approaches.

Supervisory bodies are increasingly focused on firms' adoption of these evolving financial crime models, expecting robust governance and control frameworks that extend beyond traditional approaches. This necessitates a re-evaluation of validation strategies; for instance, under frameworks like SS1/23, there is a clear emphasis on proportionate validation that can adapt to the rapidly changing financial crime landscape. Furthermore, the innovation-driven environment demands continuous and sophisticated effectiveness assessment and ongoing monitoring to ensure these dynamic models remain accurate, fair, and resilient against new threats, addressing challenges such as explainability and potential biases inherent in complex algorithms.

The Path Forward

The survey paints a clear picture: model risk management for financial crime is evolving. The conversation is maturing beyond simple inventory management towards solving complex, domain-specific challenges. To continue this journey and truly balance the scales between innovation and control, the path forward requires a focus on depth over breadth.

This begins with investing in specialist expertise, bridging the skills gap by empowering MRM professionals who understand the unique nuances of the risks associated with financial crime. These experts can then lead the charge on the most critical fronts: developing richer frameworks to assess model effectiveness that move beyond simple metrics, and critically evaluating whether a single, enterprise-wide risk-tiering approach is sufficient for the unique risks posed by financial crime models. By addressing these areas, organisations can build a more resilient and effective defence, ensuring their models are not just powerful, but also robust, fair, and responsibly managed.

For insights into the survey results, you can read the survey report here.

[1] The definition of a model varies across banks. There is no single definition that applies universally when organizations answer the question: “Where do you use models within your organization?”

[2] https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2023/ss123.pdf