Screening & checksAdvanced

Transaction monitoring, explained

Due diligence at onboarding tells you who a customer is. Transaction monitoring tells you what they actually do — and whether it matches. It is the ongoing, behind-the-scenes engine that watches activity across a relationship and raises an alert when something looks wrong. Because ongoing monitoring is a legal duty, and because most laundering only reveals itself in patterns of activity, transaction monitoring is one of the most important controls a firm runs.

What transaction monitoring is

Monitoring compares what a customer does against what you would expect from their profile, and flags the mismatch. A student account suddenly receiving and forwarding large international transfers is not inherently illegal — but it is unexpected, and that is what monitoring exists to surface.

How detection works

Rule-based
Rule-basedBehavioural / anomaly
How it worksFixed scenarios and thresholdsLearns normal behaviour, flags deviations
StrengthTransparent, explainableCatches novel patterns rules miss
WeaknessMisses what no rule covers; noisyHarder to explain; needs good data
Example"Cash deposits over £10k""This account never did this before"

Most mature programmes combine both: rules for known typologies, behavioural models for the unknown.

Common red-flag patterns

Patterns
PatternWhat it looks like
Structuring (smurfing)Many sub-threshold transactions to dodge reporting limits
Rapid movementFunds in and straight out (pass-through / mule behaviour)
InconsistencyActivity that doesn't fit the customer's profile or stated purpose
Round-sum transfersRepeated round figures with no commercial rationale
High-risk linksTransfers to/from high-risk jurisdictions or flagged counterparties
Sudden changeA dormant account springing into high activity

Order the workflow

Put it in orderFrom alert to decision

A monitoring system fires an alert. Put the investigation workflow in order.

  1. The system generates an alert from a rule or anomaly
  2. An analyst triages the alert against the customer's profile and history
  3. Decide: clear as a false positive, or escalate the suspicion
  4. Investigate: gather context, review transactions, screen counterparties
  5. If suspicious, report internally to the MLRO
  6. The MLRO decides whether to submit a SAR to the NCA

The false-positive problem

How it fits the wider system

Where
  • Onboarding CDDestablishes the expected baseline
  • Transaction monitoringwatches for departures from it
  • Alert investigationseparates noise from real suspicion
  • SAR to the NCAreports genuine suspicion

Monitoring is the connective tissue between customer due diligence and suspicious-activity reporting: it is how a static profile becomes live detection.

Where Probitas fits

When an alert fires, investigating it means understanding the people and companies involved. A Probitas check screens counterparties against sanctions, PEP and adverse media sources and surfaces the public record, anchored to its origin — giving an analyst fast, sourced context to resolve an alert. The monitoring system and the reporting decision remain the firm's own.

Transaction

What is transaction monitoring in AML?

The ongoing process of reviewing customer activity to detect transactions or patterns that are unusual or suspicious — comparing what a customer does against what their profile would lead you to expect, and raising alerts on mismatches.

Is transaction monitoring legally required?

Yes. Ongoing monitoring of business relationships is a duty under the Money Laundering Regulations, and transaction monitoring is the principal way firms discharge it across the life of a relationship.

What is the difference between rule-based and behavioural monitoring?

Rule-based monitoring flags activity against fixed scenarios and thresholds (transparent but limited to known patterns). Behavioural monitoring learns a customer's normal behaviour and flags deviations (better at novel patterns but harder to explain). Mature programmes use both.

What patterns does transaction monitoring look for?

Common red flags include structuring (many sub-threshold transactions), rapid in-and-out movement, activity inconsistent with the customer's profile, repeated round-sum transfers, links to high-risk jurisdictions, and sudden changes such as a dormant account becoming highly active.

Why are false positives a problem in monitoring?

Because a system tuned too loosely produces a flood of innocent alerts that waste resource and, more dangerously, can bury the genuinely suspicious cases. Effective monitoring balances catching real risk with keeping false positives manageable.

Sources

This guide is written from primary sources. Each is linked below; claims in the text link to the specific reference they rely on.

  1. MLR 2017 reg. 28(11) — ongoing monitoring (legislation.gov.uk)
  2. FATF — Guidance for a risk-based approach
  3. National Crime Agency — Suspicious Activity Reports
  4. FCA — Financial Crime Guide