The False Positive Spiral: How Over-Conservative Risk Rules Are Costing Banks Good Customers

There's a specific kind of damage that doesn't show up in a fine.

It doesn't appear in an audit finding or a regulatory letter. It's invisible in a compliance dashboard. It accumulates quietly, one declined application at a time, one closed account at a time, one unanswered customer email at a time.

It's the cost of saying no to people and businesses you should have said yes to.

Over-conservative risk rules — the kind that emerge from risk-averse compliance cultures, poorly calibrated screening systems, and a default institutional posture of "decline if in doubt" — are one of the most significant and least discussed sources of commercial damage in banking today. The compliance function designed to protect the institution ends up undermining it. And the customers caught in the middle have done nothing wrong.

I've operated these systems. I've seen the alert queues, reviewed the declined cases, and sat in the post-incident reviews where legitimate businesses lost their accounts. This piece is about how that spiral starts, why it's so hard to escape, and what genuinely proportionate risk management looks like in practice.

The scale of the problem

Traditional AML systems are flooding compliance teams with alerts — and over 90% of those alerts are false positives. Let that land for a moment. The overwhelming majority of the work a compliance team does in response to automated alerts is work that leads nowhere. It consumes analyst time, builds case queues, slows onboarding, and — critically — drowns out the signals that actually matter. (Source: Fintech Global / Complytek, 2025)

Industry research finds false positives comprise over 95% of AML alerts and consume approximately 42% of compliance resources. Nearly half of a compliance team's operational capacity, absorbed by noise. (Source: Flagright, 2026)

The financial cost is quantifiable. The cost of reviewing a single AML alert ranges between $30 and $70. For a bank processing 100,000 alerts a year, a reduction in false positives could result in savings of between $600,000 and $4.2 million. (Source: DataRobot AML Alert Scoring research) But the operational cost — the drain on analyst morale, the alert fatigue, the risk that genuine threats get buried under the volume — is harder to price and arguably more damaging.

And this isn't a niche problem. More than two-thirds of global banks have lost clients due to slow and inefficient KYC onboarding, up 19% year-on-year, according to a study of over 450 C-level executives across corporate, institutional, and commercial banks. (Source: Fenergo, KYC in 2024, October 2024) The trend is moving in the wrong direction, year after year, despite sustained investment in compliance technology.

When caution becomes a business strategy

The false positive problem at the screening and monitoring layer is serious. But it's downstream of a more fundamental issue: what happens when institutional risk aversion becomes the de facto filter for customer acceptance.

UK banks are making blanket decisions about entire industries, choosing risk avoidance over individual assessment — and thousands of legitimate businesses, profitable, compliant, and professionally operated, are being systematically excluded from basic banking services. (Source: Medium, High-Risk Business Banking in the UK, January 2026)

The parliamentary data is stark. Eight of the UK's biggest banks closed the accounts of 140,000 small businesses in a single year — nearly 3% of their total SME customer base — with reasons including financial crime concerns and failure to satisfy verification requirements. (Source: UK Parliament Treasury Committee, February 2024) At least 4,214 of those closures were attributed to "risk appetite" without a clear or consistent definition of what that means within the industry. (Source: UK Parliament SME Finance Committee, May 2024)

That's not risk management. That's risk avoidance dressed up as risk management. The distinction matters enormously because they have opposite effects. Risk management filters out bad actors while preserving access for legitimate customers. Risk avoidance reduces the exposure of the compliance function at the expense of the customers it's supposed to serve.

When presented with a business model they don't fully understand — whether that's supplement distribution, cryptocurrency services, or subscription platforms — many banks default to decline rather than invest the time and resources to properly understand the business. It's easier and safer to say no. (Source: Medium, High-Risk Business Banking in the UK, January 2026)

Easier and safer for whom, exactly? For the compliance team, perhaps. For the institution, in the very short term. But not for the customer, and ultimately not for the bank's commercial position either.

How the spiral works

The false positive spiral follows a consistent pattern. Understanding it is the first step to breaking it.

It starts with rules set in fear, not in evidence.

Most transaction monitoring and onboarding risk rules were written in the aftermath of an adverse event — a regulatory finding, a suspicious activity report, a case that generated internal heat. The instinct is to tighten: add a flag, lower a threshold, add a document requirement. Each individual rule change is defensible. The cumulative effect is a system calibrated to the worst-case scenario, applied uniformly to every customer regardless of their actual risk profile.

False positives usually occur when AML systems rely on rigid rules, outdated customer information, or poorly configured transaction thresholds. Rules are generic rather than customer-specific, meaning normal activity for one customer is flagged for another. (Source: AML Watcher, 2026)

Then alert fatigue sets in.

Compliance teams become inundated with alerts, and because each alert requires investigation, compliance officers face a deluge of alarm bells. Independent studies show that the real burden of investigating a single alert can stretch up to 22 hours when factoring in investigation, documentation, and review cycles. (Source: Yahoo Finance / Retail Banker International, June 2025)

When every alert looks the same and most of them lead nowhere, investigators — experienced, capable, well-intentioned investigators — start to pattern-match at speed. The careful, contextual review that a legitimate-but-unusual case requires becomes harder to deliver when the queue is 400 alerts deep. Perversely, high false positive rates can increase the risk of non-compliance. Similar to how alert fatigue causes security professionals to miss red flags, compliance officers are also prone to miss potential money laundering cases due to alert overload. (Source: Yahoo Finance / Retail Banker International, June 2025)

The system starts making decisions the rules didn't intend.

A legitimate import-export business gets flagged for cross-border transaction patterns. A defence contractor loses its account because a sector-level rule doesn't distinguish between weapons manufacturers and servicing companies. A digital nomad gets declined because their country of residence doesn't match their country of incorporation. None of these cases involve any actual financial crime risk. All of them are the predictable output of rules that treat complexity as a proxy for risk.

And the commercial damage accumulates invisibly.

The declined applications don't generate a report. The closed accounts don't appear in a risk dashboard. The customers who walked away because the onboarding process was too painful don't file a complaint — they simply go elsewhere. Financial institutions spend an estimated $274 billion on financial crime compliance globally, and 63% say that AFC compliance additionally and negatively impacts productivity and customer acquisition. (Source: Blackdot Solutions, citing Global Investigations Review and industry research, 2025) The irony is that a compliance function consuming that level of resource should be generating demonstrably better outcomes. Often, it isn't.

The regulatory position is clearer than many institutions act on

There's a misconception that runs through a lot of compliance culture: that being more restrictive is always safer from a regulatory standpoint. That the FCA would rather see an institution decline 100 legitimate customers than approve one bad actor.

That's not what the regulatory framework actually says.

The FCA's updated Financial Crime Guide, effective November 2024, explicitly calls for a proportionate and risk-based approach — including specific guidance on avoiding discriminatory treatment of customers and applying risk-appropriate due diligence rather than blanket restrictions. (Source: Clifford Chance, FCA Financial Crime Guide analysis, December 2024)

Germany's BaFin went further in a 2025 enforcement case, sanctioning a payment institution specifically for having too many unsubstantiated suspicious transaction reports — demonstrating that regulators expect obliged entities to put in place monitoring systems that ensure transactions without suspicious criteria are not reported. (Source: George Karapetyan, Medium, May 2025) Being too aggressive in screening is itself a regulatory risk.

The framework has always been risk-based, not risk-elimination. A risk-based approach requires understanding the actual risk profile of each customer or transaction and calibrating the response proportionately. That's more demanding than applying a uniform set of rules, but it's also more accurate — and more defensible when a regulator looks at your decision-making.

What genuine proportionality looks like in practice

Having built and operated these systems across multiple institutions, proportionate risk management consistently comes down to the same set of disciplines:

Segment your risk model properly. A sole trader payment company and a multinational holding structure are not the same risk profile. Neither are a UK-incorporated SME and a BVI trust. Rules that apply the same flags to both are not risk-based — they're risk-uniform, which is a different thing entirely. Your rule set should reflect the actual distribution of risk in your customer base, not a single worst-case scenario applied to everyone.

Distinguish between risk indicators and risk conclusions. Operating in a high-risk jurisdiction is a risk indicator. It means enhanced due diligence is warranted, not automatic decline. A complex corporate structure is a risk indicator. It means more thorough UBO verification is required, not that the customer should be turned away. Conflating the two — treating the indicator as though it were the conclusion — is where over-conservative rules do the most damage.

Review your false positive rate as a KPI. If you're not measuring what proportion of your alerts lead to genuine suspicious activity reports, you don't know how well-calibrated your system is. AML false positive rates typically range between 85% and 95% across the industry (Source: Facctum, AML False Positive Report, March 2026) — but that range represents a genuine spectrum. An institution at 95% is operating very differently from one at 80%, and the difference is measurable, manageable, and directly linked to both compliance outcomes and commercial ones.

Build a feedback loop between declined cases and rule design. In most institutions, the case that gets declined disappears into the system. Nobody reviews it six months later to ask whether the rule that triggered the decline was well-designed. Building that feedback loop — a structured review of declined or closed cases to assess whether the outcome was proportionate — is one of the most effective ways to recalibrate a rules set that has drifted toward excessive caution.

Apply context, not just criteria. The most important skill in a compliance operation is contextual judgement — the ability to look at an unusual case and distinguish between a pattern that is genuinely suspicious and a pattern that is merely unfamiliar. That judgement doesn't come from a rulebook. It comes from experienced investigators with enough time and decision-making latitude to apply it. Alert fatigue destroys that capacity. Reducing false positive volume is not just about efficiency — it's about preserving the quality of the decisions that actually matter.

The cost of getting this wrong is bilateral

Compliance teams operating in risk-averse cultures are often implicitly rewarded for declining. A declined case doesn't generate a regulatory finding. A bad actor who slips through does. The incentive structure pushes toward caution.

But there's a cost on the other side that's equally real, and increasingly visible.

MPs have condemned the unfair debanking of legitimate businesses, with cross-party committee members calling on the FCA to force banks to be more transparent about why decisions to close or refuse accounts are taken. (Source: UK Parliament SME Finance Committee report, May 2024) Scrutiny of over-restrictive compliance practices is intensifying at the parliamentary level, driven by clear evidence that legitimate businesses — defence contractors, pawnbrokers, digital businesses — are being systematically excluded.

For banks and fintechs, the reputational cost of being known as the institution that declined, that closed without explanation, that treated a legitimate business as a suspect — that cost is slow to accumulate and slow to unwind. It doesn't appear in a quarterly report, but it shows up in conversion rates, in NPS scores, in the LinkedIn posts from founders who were declined and went public about it.

The institution that builds proportionate, well-calibrated risk rules — that can demonstrate to a regulator exactly why each decision was taken and why it was appropriate — is both better protected from regulatory risk and better positioned commercially. Those two things aren't in tension. Done properly, they reinforce each other.

Where this leaves compliance teams

The false positive spiral is not inevitable. It's the predictable output of rules designed for defensibility rather than accuracy, operating in a culture where "no" is safer than "proportionate yes."

Breaking it requires treating risk calibration as an ongoing discipline rather than a point-in-time policy exercise. It requires measuring the commercial cost of over-restriction alongside the regulatory cost of under-restriction. And it requires investing in the operational conditions — alert quality, investigator capacity, feedback loops between decisions and rule design — that make genuine contextual judgement possible.

The compliance function that achieves this isn't softer on risk. It's better at it. It knows which customers to scrutinise and which to onboard without friction, because it has built a model that reflects the actual distribution of risk — not the worst-case imagination of it.

That's what proportionate looks like. And it's where the best compliance operations are heading.

First Mile Labs builds configurable risk decisioning and KYB/KYC orchestration infrastructure for banks and fintechs. If you're reviewing your risk rule calibration or looking to reduce false positive rates without increasing compliance exposure, talk to us.