Real-Time vs. Batch: Resolving the False Debate in Financial Crime Detection
The financial crime industry has been arguing about real-time detection for years. The truth is that the debate is mostly a distraction from the harder architectural question.
Liam van der Berg
Principal Architect
The Real-Time Promise
Every financial crime technology vendor promises real-time detection. And technically, most of them deliver it — in the narrow sense that alerts are generated within seconds or minutes of a transaction.
But real-time alert generation is not the same as real-time intelligence. And confusing the two has led financial institutions to invest heavily in architectures that generate fast alerts from slow intelligence.
What Real-Time Actually Requires
For detection to be genuinely real-time — meaning that alerts are generated with sufficient context and accuracy to support a real-time decision — the intelligence layer underneath the alerting engine also needs to operate in near-real-time.
This includes: - Customer behavioural profiles updated continuously, not nightly - Network graphs that reflect the current state of relationships, not yesterday's batch - Peer group comparisons that account for recent population shifts - External intelligence feeds — sanctions, PEP, adverse media — refreshed continuously
Without these, a "real-time" alerting system is generating alerts based on stale intelligence. The alert arrives in seconds; the intelligence supporting it is hours or days old.
The Batch Processing Legacy
Most financial institutions' core data infrastructure operates on batch cycles. End-of-day sweeps, nightly reconciliations, morning risk score refreshes. This is not a technology limitation — it is an operational architecture choice that made sense when computing resources were constrained and transaction volumes were manageable.
The problem is that financial crime typologies have evolved to exploit this batch processing lag. Transactions that individually appear innocuous, but collectively represent a laundering pattern, can complete their full cycle within the batch processing window — appearing clean at each individual checkpoint.
The Hybrid Architecture Solution
The pragmatic answer is not to replace batch processing entirely — there are legitimate operational and cost reasons to maintain batch workflows for certain functions. The answer is a hybrid architecture that:
- 1Maintains continuously updated behavioural intelligence for high-velocity risk signals
- 2Uses batch processing for deep analytical functions that benefit from full-population views
- 3Integrates both streams into a unified risk signal that powers alerting
Themis is built on this hybrid model. Behavioural profiles and network graphs are updated in near-real-time. Deep analytical functions — peer group construction, typology modelling, network community detection — run on batch cycles optimised for computational efficiency.
The result is detection that is both fast and intelligent — which, it turns out, is the actual requirement.