Due diligence at onboarding tells you who a customer is. Transaction monitoring tells you what they actually do — and whether it matches. It is the ongoing, behind-the-scenes engine that watches activity across a relationship and raises an alert when something looks wrong. Because ongoing monitoring is a legal duty, and because most laundering only reveals itself in patterns of activity, transaction monitoring is one of the most important controls a firm runs.
What transaction monitoring is
Monitoring compares what a customer does against what you would expect from their profile, and flags the mismatch. A student account suddenly receiving and forwarding large international transfers is not inherently illegal — but it is unexpected, and that is what monitoring exists to surface.
How detection works
| Rule-based | Behavioural / anomaly | |
|---|---|---|
| How it works | Fixed scenarios and thresholds | Learns normal behaviour, flags deviations |
| Strength | Transparent, explainable | Catches novel patterns rules miss |
| Weakness | Misses what no rule covers; noisy | Harder to explain; needs good data |
| Example | "Cash deposits over £10k" | "This account never did this before" |
Most mature programmes combine both: rules for known typologies, behavioural models for the unknown.
Common red-flag patterns
| Pattern | What it looks like |
|---|---|
| Structuring (smurfing) | Many sub-threshold transactions to dodge reporting limits |
| Rapid movement | Funds in and straight out (pass-through / mule behaviour) |
| Inconsistency | Activity that doesn't fit the customer's profile or stated purpose |
| Round-sum transfers | Repeated round figures with no commercial rationale |
| High-risk links | Transfers to/from high-risk jurisdictions or flagged counterparties |
| Sudden change | A dormant account springing into high activity |
Order the workflow
A monitoring system fires an alert. Put the investigation workflow in order.
- The system generates an alert from a rule or anomaly
- An analyst triages the alert against the customer's profile and history
- Decide: clear as a false positive, or escalate the suspicion
- Investigate: gather context, review transactions, screen counterparties
- If suspicious, report internally to the MLRO
- The MLRO decides whether to submit a SAR to the NCA
The false-positive problem
How it fits the wider system
- Onboarding CDDestablishes the expected baseline
- Transaction monitoringwatches for departures from it
- Alert investigationseparates noise from real suspicion
- SAR to the NCAreports genuine suspicion
Monitoring is the connective tissue between customer due diligence and suspicious-activity reporting: it is how a static profile becomes live detection.
Where Probitas fits
When an alert fires, investigating it means understanding the people and companies involved. A Probitas check screens counterparties against sanctions, PEP and adverse media sources and surfaces the public record, anchored to its origin — giving an analyst fast, sourced context to resolve an alert. The monitoring system and the reporting decision remain the firm's own.
Transaction
What is transaction monitoring in AML?
The ongoing process of reviewing customer activity to detect transactions or patterns that are unusual or suspicious — comparing what a customer does against what their profile would lead you to expect, and raising alerts on mismatches.
Is transaction monitoring legally required?
Yes. Ongoing monitoring of business relationships is a duty under the Money Laundering Regulations, and transaction monitoring is the principal way firms discharge it across the life of a relationship.
What is the difference between rule-based and behavioural monitoring?
Rule-based monitoring flags activity against fixed scenarios and thresholds (transparent but limited to known patterns). Behavioural monitoring learns a customer's normal behaviour and flags deviations (better at novel patterns but harder to explain). Mature programmes use both.
What patterns does transaction monitoring look for?
Common red flags include structuring (many sub-threshold transactions), rapid in-and-out movement, activity inconsistent with the customer's profile, repeated round-sum transfers, links to high-risk jurisdictions, and sudden changes such as a dormant account becoming highly active.
Why are false positives a problem in monitoring?
Because a system tuned too loosely produces a flood of innocent alerts that waste resource and, more dangerously, can bury the genuinely suspicious cases. Effective monitoring balances catching real risk with keeping false positives manageable.
Sources
This guide is written from primary sources. Each is linked below; claims in the text link to the specific reference they rely on.