Feature Engineering for AML: From Raw Data to Risk Signals

The Foundation of Effective ML Models

Machine learning models are only as good as the features they're trained on. In AML detection, raw transaction data—sender, receiver, amount, timestamp—is insufficient. The art and science of feature engineering transforms this raw data into meaningful risk signals that ML models can learn from.

Feature Categories

At nerous.ai, we extract 500+ features from each transaction, grouped into six primary categories:

1. Transaction-Level Features (50 features)

Direct attributes of the transaction itself:

• Amount Features: Raw amount, log-transformed amount, rounded amount (structuring indicator)
• Temporal Features: Hour of day, day of week, is_weekend, is_holiday, is_business_hours
• Channel Features: Transaction type (wire, ACH, card), online vs in-person, mobile vs desktop
• Geographic Features: Sender/receiver countries, distance between locations, timezone differences
• Currency Features: Currency pair, exchange rate deviation from market rate

amount_roundness = abs(amount - round(amount, -2)) / amount
near_threshold = 1 if 9000 <= amount <= 10000 else 0
risk_score = amount_roundness * near_threshold

2. Velocity Features (80 features)

Aggregations over various time windows detect unusual spikes in activity:

• Transaction Counts: Number of transactions in past 1h, 6h, 24h, 7d, 30d, 90d
• Amount Aggregations: Sum, mean, median, max amounts over same windows
• Unique Counterparties: Number of distinct senders/receivers in each window
• Velocity Ratios: Comparing short-term vs long-term averages (e.g., 24h avg / 30d avg)

3. Network Features (120 features)

Graph-based features capture an entity's position and role in the transaction network:

• Centrality Metrics: Degree, betweenness, closeness, eigenvector centrality
• Community Detection: Which community the entity belongs to, community stability
• Path Features: Shortest paths to known bad actors, number of intermediaries
• Structural Patterns: Fan-out (mule behavior), fan-in (aggregation), circular flows
• Temporal Network Evolution: Change in degree over time, new connections rate

4. Behavioral Features (150 features)

Deviations from entity-specific baselines are the most powerful indicators:

• Entity Baselines: Personal averages for amount, frequency, counterparties
• Z-Scores: How many standard deviations current behavior differs from baseline
• Sequence Breaks: Changes in typical transaction ordering or timing patterns
• Peer Comparisons: Deviation from similar entities (clustering-based)
• Life Cycle Stage: Account age, activity maturity, dormancy followed by reactivation

μ = mean(historical_amounts)
σ = std(historical_amounts)
z_score = (A - μ) / σ

# Winsorized z-score to handle outliers
z_clipped = clip(z_score, -5, 5)
anomaly_score = sigmoid(z_clipped / 2)

5. Geographic Features (40 features)

• Risk Scores: Country risk scores based on FATF lists, corruption indices
• Jurisdiction Changes: Frequency of cross-border transactions, high-risk corridors
• Distance Metrics: Physical distance, timezone offset, cultural/linguistic distance
• Location Consistency: Deviation from typical geographic patterns

6. Historical Risk Features (60 features)

• Prior Alerts: Historical SAR filings, previous AML alerts, alert frequency
• Regulatory Actions: Past sanctions, fines, or regulatory scrutiny
• Entity Classification: Business type, industry sector, customer segment
• KYC Signals: Completeness of KYC data, time since last refresh, verification level

Feature Selection and Importance

Not all 500+ features contribute equally. We use multiple techniques to identify the most predictive features:

Handling Data Challenges

Missing Data

Real-world transaction data is messy. Our approach:

• Indicator Variables: Boolean flags for missingness as features themselves
• Domain-Aware Imputation: Use median for amounts, mode for categories
• Forward Fill: For temporal features, carry forward last known value
• Model-Based Imputation: ML models predict missing values from other features

Class Imbalance

Money laundering is rare (typically 0.1-1% of transactions). Feature engineering helps:

• Rare Event Features: Binary indicators for extremely unusual behavior
• Composite Scores: Aggregating multiple weak signals into stronger ones
• Anomaly Scores: Unsupervised outlier scores as supervised features

Feature Engineering Pipeline

Our production feature engineering pipeline processes 100M+ transactions daily:

1. Ingestion: Raw transaction arrives via Kafka
2. Enrichment: Join with entity profiles, KYC data, historical risk scores
3. Real-Time Computation: Calculate transaction-level and recent velocity features
4. Cache Lookup: Retrieve pre-computed network and behavioral features from Redis
5. Feature Vector Assembly: Combine all features into 500-dim vector
6. Normalization: Scale features using pre-fitted transformers
7. ML Inference: Pass feature vector to model ensemble

Continuous Feature Improvement

Feature engineering is not a one-time effort. We continuously refine our feature set:

• Weekly Reviews: Analyze feature importance scores, retire low-value features
• Quarterly Experiments: A/B test new feature candidates on production traffic
• Typology Updates: Add features for newly discovered money laundering schemes
• Feedback Integration: Analyst feedback suggests new feature ideas

Conclusion

Feature engineering is where domain expertise meets data science. At nerous.ai—where our name reflects the Finnish word for genius and ingenuity—we've invested thousands of engineering hours into building a feature pipeline that transforms raw transaction data into actionable risk signals.

The result: ML models that detect money laundering with 99.9% accuracy while reducing false positives by 85%. Great features enable great models.