Transaction Monitoring Explained
How Banks Actually Detect Suspicious Activity
Transaction monitoring is where KYC profiles become operational — the control that turns expected behaviour into alerts when reality diverges. This guide covers rules-based vs ML-based TM, the 10 typology rules every bank runs, alert investigation workflow, and real scenarios from JPMorgan, Barclays, Citi, BNY, and Revolut.
Every KYC profile you build has one downstream consumer that matters more than any other: transaction monitoring (TM). The customer risk rating you assign, the expected transaction profile you document, the counterparty geographies you capture, the UBOs you identify — all of it flows into the TM system that runs 24/7 looking for activity that diverges from the profile. When tier-1 banks fail AML audits, the finding is almost never “bad KYC.” It’s “KYC baseline that TM couldn’t meaningfully use.”
This guide covers transaction monitoring as it actually runs at tier-1 investment banks, custody firms, and sophisticated KPO operations: the core TM rule set every bank configures, rules-based vs behavioural / ML-based detection, the alert investigation workflow end-to-end, SLA and quality expectations, and real scenarios from JPMorgan London, Barclays GCC Mumbai, Citi New York, BNY, State Street, HSBC, Emirates NBD, eClerx, Genpact, WNS, Infosys BPM, Accenture Operations, and Revolut.
What Transaction Monitoring Actually Does
Transaction monitoring is the continuous automated screening of customer activity against a library of rules and models designed to detect patterns consistent with money laundering, terrorist financing, sanctions evasion, fraud, and other financial-crime typologies. It operates on every payment, transfer, cash movement, securities trade, and in some cases non-financial activity (log-ins, new payee adds, device changes) against the customer’s risk-based expected profile.
KYC sets the baseline: risk rating, NOB, expected volume, expected velocity, expected counterparties, expected geographies. TM monitors against that baseline. Alerts go to investigators. Investigation outcomes — SAR/STR filings, profile shifts, EDD escalations — feed back into KYC as triggers for CDD refresh, risk re-rating, and EDD application. The loop runs continuously. A weak or stale KYC profile makes TM blind. A strong profile makes TM precise.
Rules-Based vs Behavioural TM — And Why Banks Run Both
Rules-Based Transaction Monitoring
Deterministic thresholds expressed as explicit rules. Example: “Alert any wire transfer above $10,000 to a FATF grey-list jurisdiction.” “Alert any customer who makes 3 or more cash deposits between $9,000 and $9,999 in a 7-day window.” “Alert any account where monthly volume exceeds 200% of 6-month trailing average.”
Strengths: Transparent, auditable, easy to tune, regulator-friendly — every alert has a clear rule trigger that can be explained on demand to FCA, FinCEN, DFSA, or MAS examiners.
Weaknesses: High false-positive volume. Sophisticated launderers structure below thresholds and around rule patterns. Static thresholds require constant manual tuning.
Behavioural / ML-Based Transaction Monitoring
Machine learning models trained on historical customer behaviour, historical true-positive case outcomes, and typology libraries. Instead of a fixed threshold, the model produces anomaly scores — “this customer’s activity is in the 98th percentile of deviation compared to peer cluster behaviour over the last 90 days.”
Strengths: Detects novel patterns rules-based systems would miss. Lower false-positive rates when properly tuned. Picks up subtle behavioural shifts (change in counterparty profile, deviation in weekday vs weekend activity, unusual transaction timing patterns).
Weaknesses: Model-governance complexity. FCA, DFSA, and MAS all expect documented model transparency, periodic backtesting, bias testing, and explainability. A black-box ML TM output is a regulatory finding in 2026. Model drift requires continuous monitoring.
Rules-based TM provides the explicit baseline that satisfies regulator expectations and covers well-understood typologies. Behavioural TM layers on top to catch patterns rules-based can’t see. Both approaches generate alerts that flow into the same investigator queues. The rules are the floor; the behavioural layer is the ceiling.
The 10 Core TM Rules Every Bank Runs
The specific parameters vary by institution, but a remarkably consistent set of ten rule categories shows up across every tier-1 bank’s TM configuration. Understanding these at the conceptual level is a direct interview topic for any KYC analyst targeting EDD, TM, or senior AML roles.
Structuring / Smurfing Detection
Multiple sub-threshold transactions that aggregate above a reporting threshold. Classic pattern: multiple cash deposits of $9,000–$9,999 within a rolling window. Rule triggers on pattern; investigators dispose.
Velocity Anomaly
Transaction frequency that diverges materially from expected profile — a dormant account that suddenly produces 40 wires in a week, or an active account whose volume drops to near-zero (potential dormancy for later reactivation).
Volume Threshold Breach
Transaction amounts exceeding the customer’s documented expected profile. Rolling-window aggregation catches cumulative breaches even when individual transactions stay within limits.
Geographic Risk
Counterparty or originator/beneficiary in FATF grey-list, FATF black-list, or bank-policy high-risk jurisdictions. Cross-border wire rules typically layer with sanctions screening and correspondent-bank controls.
Cash-Intensity Anomaly
Cash deposits or withdrawals disproportionate to declared NOB or historical pattern. Particularly sensitive for customers in cash-intensive industries (MSBs, casinos, car washes, gold dealers) where baseline cash levels are high but pattern shifts still matter.
Funnel Account Pattern
Multiple inbound wires from different jurisdictions consolidated into a single account with rapid outbound movement — the classic layering-stage pattern. Typically triggers at geographic concentration + same-day in/out velocity.
Round-Number and Repetitive-Amount Patterns
Transactions in suspiciously round figures ($10,000.00, $50,000.00) or identical repeating amounts. Often flags commercial-invoice laundering, structuring, and layered transfers. Particularly useful in trade-finance monitoring.
Third-Party Payment Anomaly
Payments received from or sent to parties unrelated to declared counterparties. Customer declares B2B trading with three named counterparties, but TM sees inbound from 15 unrelated originators.
New Counterparty Activation
Material transactions to a counterparty the customer has never transacted with before, especially in high-risk geographies or high-risk sectors. Triggers enhanced scrutiny pending establishment of normal baseline.
Profile Deviation Composite
Combined scoring across all expected-profile dimensions — volume, velocity, geography, counterparty, cash-intensity, product mix. Triggers when deviation in two or more dimensions crosses calibrated thresholds simultaneously. This is where behavioural / ML-based TM typically lives within the rules framework.
The 4-Stage Alert Investigation Workflow
Every tier-1 bank operates a standardised alert-investigation workflow that turns raw TM triggers into disposition decisions. The terminology varies (“triage” vs “Level 1,” “escalation” vs “Level 2”) but the four-stage structure is near-universal.
Level 1 Triage
Front-line investigators review the raw alert against the KYC profile. Common outcomes: (a) benign economic rationale — customer profile clearly supports the activity; dispose with documented rationale; (b) insufficient data — route to request-for-information from customer or Relationship Manager; (c) escalate to Level 2 for deeper investigation.
SLA typically 24–48 hours. Productivity typically 30–80 alerts per analyst per day depending on rule type. QA samples 5–10% of output.
Level 2 Investigation
Senior investigators build a case file: full transaction history, KYC file review, adverse media refresh, sanctions re-screening, counterparty deep-dive, network analysis (what other customers transact with this counterparty?). Outcome options: (a) dispose with escalation-depth rationale; (b) escalate to Level 3 for SAR/STR consideration; (c) recommend customer-facing action (EDD refresh, risk re-rating, account restriction).
Level 3 SAR/STR Decision
Senior AML officers (reporting to MLRO) make the SAR/STR filing call. The decision is never mechanical — it requires judgement on whether the activity meets the statutory “suspicion” threshold. A SAR is filed when the filer has reasonable grounds to suspect that the transaction relates to proceeds of crime or terrorist financing. Under UK POCA, US BSA, EU 6AMLD, DFSA AML Module, and MAS Notice 626, the threshold is “suspicion,” not proof.
Post-Filing Follow-Through
After SAR/STR submission, the bank continues to operate the account under any specific law-enforcement direction. Enhanced monitoring is standard. Internal actions: risk re-rating, EDD refresh, relationship review, potential exit. Exits themselves are carefully managed — tipping the customer off that a SAR has been filed is a criminal offence in most jurisdictions.
SLAs, Productivity, and Quality Expectations
| Alert Type | Typical SLA | Typical Productivity | Accuracy Target |
|---|---|---|---|
| Sanctions alerts (real-time payment screening) | 2–4 hours | 40–80/day | 99.5%+ |
| Sanctions alerts (customer-level screening) | 4 hours – 1 day | 40–100/day | 99%+ |
| PEP alerts | 24–48 hours | 40–100/day | 98%+ |
| Adverse media alerts | 48 hours – 5 days | 20–60/day | 97%+ |
| TM rules-based alerts (Level 1) | 3–5 business days | 30–80/day | 97%+ |
| TM behavioural alerts (Level 1) | 5–10 business days | 15–40/day | 97%+ |
| Level 2 investigations | 10–20 business days | 3–8 cases/day | 98%+ |
A Level 1 TM investigator at a tier-1 KPO (eClerx, Genpact, WNS, Infosys BPM, Accenture Operations) typically carries a queue of 40–60 active alerts per day with mixed SLAs. The working rhythm is: morning queue review, sequential disposition through lower-complexity alerts, focused investigation on 2–4 escalation candidates, documentation of disposition rationale for every action. Evening typically includes QA responses on prior-day output. Accuracy is the non-negotiable metric — speed without accuracy doesn’t survive QA review cycles.
Real-World Transaction Monitoring Scenarios
Scenario 1 — Structuring alert at Barclays GCC Mumbai
An SME customer at Barclays GCC Mumbai triggers a structuring rule: 14 cash deposits of ₹49,000–₹49,500 within 11 days, totalling ₹6.85 lakh. Declared expected monthly cash was ₹3 lakh.
Workflow: Level 1 investigator reviews KYC file — declared NOB is small retail trading. No commercial rationale supports the pattern. Escalates to Level 2. Level 2 requests additional customer documentation and counterparty context. Inconsistent responses. Escalates to Level 3 for STR consideration. MLRO files STR with FIU-IND. Internal actions: customer risk re-rated to high, EDD refresh triggered, enhanced monitoring engaged. Relationship subsequently exited following law-enforcement guidance.
Scenario 2 — Funnel account pattern at JPMorgan London
A corporate customer at JPMorgan London — declared UK wholesale distribution business — triggers a funnel-account rule: 23 inbound wires across 11 jurisdictions in 18 days, same-day outbound consolidation to a single Singapore beneficiary.
Workflow: Level 1 flags the geographic concentration and same-day velocity. Level 2 builds the case: UBO trace reveals a nominee structure with a previously unidentified beneficial owner in a high-risk jurisdiction. Sanctions screening refresh on the new UBO. Adverse media surface a regulatory investigation in the UBO’s home jurisdiction. Level 3 files SAR with UK NCA. Relationship exited. Customer tipping-off considerations drive exit communication wording.
Scenario 3 — Behavioural ML-based detection at Revolut
A retail customer at Revolut whose profile had been stable for 14 months suddenly triggers a behavioural-model anomaly alert: transaction timing pattern shift (from weekday business hours to late-night / weekend), new counterparty activation in two offshore jurisdictions, device-change signals at the same time.
Workflow: Level 1 investigator reviews. Rules-based TM had not independently triggered on any single dimension. Behavioural model flagged the combination. Investigator escalates. Level 2 identifies that the customer’s device and location history suggest account takeover or compromised credentials. Escalation to fraud team parallel with AML track. Customer contacted via verified channels; confirms compromise. Account secured, funds recovered, SAR filed for typology reporting. Behavioural TM working exactly as designed — catching pattern signal rules alone would miss.
Scenario 4 — Third-party payment alert at BNY
A fund-administrator customer at BNY triggers a third-party payment rule: inbound wires from 12 entities, only 3 of which match the customer’s declared counterparty list. Volume is within expected profile; counterparty identity is not.
Workflow: Level 1 escalates. Level 2 investigates the 9 unknown originators: 4 are legitimate new clients onboarded post-KYC refresh but not yet updated in the bank’s counterparty list; 3 are legitimate portfolio-company entities of an existing client; 2 remain unexplained. KYC refresh is triggered to update counterparty data; SAR is filed for the 2 unexplained originators pending further investigation. This is the scenario where strong investigator work distinguishes legitimate business-growth patterns from real layering activity.
Common TM Programme Failures
Under management pressure to reduce backlog, thresholds are widened until alert volume hits a target. Real hits get missed. Fix: threshold calibration is risk-based, documented with rationale, backtested against historical true positives, and reviewed at senior-management level.
Expected-profile data stored at onboarding is never refreshed. The customer’s actual business evolves; the TM baseline doesn’t. Alerts become noise. Fix: KYC refresh cadence tied to TM operational needs; periodic review isn’t optional, it’s mandatory data maintenance.
Alerts disposed with “no suspicion identified” but no documented reasoning for why the specific activity is consistent with profile. Fix: every disposition carries a written rationale. QA enforces quality. Regulators read rationale memos first in file reviews.
ML models operating without documented feature importance, periodic bias testing, drift monitoring, or explainability. FCA, DFSA, and MAS all treat this as a first-order finding. Fix: model-risk-management framework with documented governance, at minimum matching SR 11-7 standards.
Investigators file SARs reflexively to protect themselves from later criticism, regardless of whether suspicion threshold is met. This is a pattern regulators specifically look for, and it undermines the intelligence value of the FIU pipeline. Fix: SAR quality is a KPI; investigator coaching on suspicion-threshold judgement is built into onboarding.
Interview Question: Walk Me Through a TM Investigation
“You get a TM alert on a customer with unusual inbound wires from a new high-risk jurisdiction. How do you investigate?”
“I start with the KYC baseline — customer type, declared NOB, expected counterparties, expected geographies, risk rating, UBO profile. Then I pull the full transaction history for the relevant window and compare actual activity against expected. For the flagged jurisdiction I run refreshed sanctions and PEP screening on any new originators, and refresh adverse media in English plus local language if material exposure. If I can reconcile the activity to legitimate commercial rationale — documented new business relationship, new counterparty with clean onboarding — I dispose with rationale and trigger a KYC refresh to capture the new counterparty. If there’s no legitimate reconciliation, I escalate to Level 2 with a case file showing the KYC baseline, the deviation, the sanctions and adverse-media refresh, and the counterparty network analysis. At Level 2 or Level 3 the judgement becomes whether the statutory suspicion threshold is met for SAR filing. Throughout, every disposition step is documented with rationale, because the investigator memo is the first thing a regulator reads in a file review.”
Why TM Capability Accelerates Your KYC Career
TM is one of the fastest accelerators out of pure KYC execution into broader Financial Crime Compliance roles. Analysts who understand how KYC data flows into TM, where the baselines matter, and how investigators think about profile deviation are the candidates who get moved into EDD teams, AML investigations, model-governance roles, and senior FCC positions. If your long-term ambition is to move beyond KYC into broader financial-crime work — AML analyst, investigator, FCC officer, or MLRO path — TM fluency is the bridge.
Here’s where role-matching matters most. If your day-to-day is actually TM alert investigation, SAR/STR filing, typology work, and financial-crime case management — an AML-focused credential like CAMS fits your role. But most KYC professionals default to CAMS by reputation without matching it to what they actually do. If you’re in onboarding, CDD/EDD, UBO, and screening, a KYC-specific credential converts faster into KYC interviews. For pure KYC roles: GO-AKS (Globally Certified KYC Specialist), IKYCA (Internationally Certified KYC Specialist), and IR-KAM (Internationally Certified KYC Manager) are the direct-fit credentials. For crypto KYC and VASP contexts: C2KO (Certified Crypto KYC Officer) and C3O (Certified Crypto Compliance Officer). Pick the credential that matches the role you actually want to get promoted into — not the one with the most general recognition.
Related Reading
- Top 25 AML Red Flags Every KYC Professional Must Know
- AML Explained: What Anti-Money Laundering Actually Is
- UBO Identification & Complex Structures
- False Positives in KYC Screening
- The Risk-Based Approach (RBA) in KYC
- Top 100 KYC Interview Questions & Model Answers
Turn TM Fluency Into Cross-Function Opportunities
Transaction-monitoring scenarios are tested in every senior KYC and AML interview at Goldman Sachs, JPMorgan, Barclays, Citi, BNY, and Emirates NBD. Practise the TM investigation scenarios out loud on AGZIT’s voice-based AI Mock Interview — with a 10-dimension Scorecard after every session.
ATS Resume Builder
Voice-based
10-dimension
Coaching
Elevator pitch
DPR-based
30-day roadmap
Silver/Gold/Platinum
Trusted by KYC candidates targeting roles in Mumbai · Dubai · London · New York · Toronto · Singapore