Transaction Monitoring: A UK Firm’s Guide

Alert Design, Triage and the FCA’s Effectiveness Expectations

Transaction monitoring is the operational discipline of detecting potentially suspicious customer transaction patterns — the systematic surveillance of customer activity to identify behaviour inconsistent with the firm’s understanding of the customer, with stated commercial purpose, or with normal patterns. In modern UK regulated firms, transaction monitoring runs predominantly through automated systems generating alerts that are then triaged and investigated by financial crime analysts. Where investigation confirms suspicion, the firm files Suspicious Activity Reports with the National Crime Agency. The framework is required by Regulations 28(2)(c) and 28(11) of MLR 2017 and reinforced by the FCA’s Financial Crime Guide.

This guide explains how transaction monitoring works in practice — the regulatory framework, the architecture of modern transaction monitoring systems, the difference between rules-based and behavioural approaches, the alert investigation workflow, and the FCA’s increasing focus on effectiveness over volume. It also covers the recruitment dimension — what financial crime teams need to look like to operate transaction monitoring effectively, and the specialist roles that have emerged as the discipline has matured.

What’s missing from most online explanations of transaction monitoring is the practical operational detail. The regulations describe what monitoring must achieve; this guide describes what good transaction monitoring looks like in modern UK regulated firms — including the technology architecture, the calibration discipline, and the team capability that distinguishes effective monitoring from monitoring-by-volume.

The Regulatory Framework

Transaction monitoring is required by:

• Regulation 28(2)(c) of MLR 2017 — requiring ongoing monitoring of business relationships, including scrutiny of transactions to ensure they are consistent with the firm’s knowledge of the customer
• Regulation 28(11) of MLR 2017 — requiring scrutiny to be conducted on a risk-sensitive basis
• Regulation 33 of MLR 2017 — requiring intensified monitoring for EDD relationships (see our EDD Guide)
• The Proceeds of Crime Act 2002 — creating the SAR obligation that flows from suspicious activity identification (see our SARs Guide)
• The FCA Handbook — particularly the Financial Crime Guide, which sets out the FCA’s expectations on monitoring effectiveness

For the broader AML framework, see our MLR 2017 Compliance Guide and MLRO Guide.

Rules-Based vs Behavioural Monitoring

Transaction monitoring systems operate through two complementary approaches:

Rules-based monitoring

Rules-based scenarios apply specific predefined criteria to transaction data and generate alerts when criteria are met. Common rules-based scenarios include:

• Unusually large transactions — relative to customer profile or absolute thresholds
• Structured transactions — multiple transactions just below reporting or other regulatory thresholds
• Round-amount transactions — large round-figure transactions inconsistent with normal commercial activity
• High-velocity activity — unusual frequency or volume of transactions
• Cross-border patterns — transactions involving high-risk jurisdictions
• Counterparty patterns — repeated transactions with specific counterparties
• Cash-related activity — patterns of cash deposits or withdrawals
• Account dormancy followed by activity — sudden activity in previously inactive accounts

Rules-based monitoring is operationally straightforward — explicit criteria, predictable alert generation, easy to explain to regulators. The limitation is that sophisticated suspicious activity may not match predefined rules, and the alert volume can be high (with corresponding false positive burden).

Behavioural / risk-based monitoring

Behavioural monitoring uses statistical models, machine learning, or other techniques to identify activity inconsistent with each customer’s individual profile or with peer group norms. Behavioural approaches include:

• Customer-specific behavioural baselines — comparing current activity to the customer’s historical pattern
• Peer group comparison — comparing the customer to similar customer segments
• Anomaly detection — identifying activity that deviates significantly from expected patterns
• Network analysis — identifying unusual transaction networks or connections
• Machine learning models — trained on historic data to identify patterns associated with confirmed suspicious activity

Behavioural monitoring can detect suspicious activity that rules-based approaches miss — but the operational complexity is higher, model governance is required, and explainability to regulators can be more challenging.

Combined approaches

Modern transaction monitoring typically combines both approaches. Rules-based scenarios cover known typologies and explicit regulatory expectations; behavioural models add detection capability for novel patterns. The combination produces broader coverage with improved alert quality.

Transaction Monitoring System Architecture

A modern transaction monitoring system typically includes:

Data ingestion

Transaction data from the firm’s core processing systems — payments, trading, deposit and withdrawal activity, internal transfers — flows into the monitoring system in batch or real-time depending on the firm’s risk profile and architecture.

Customer profile data

Customer information from KYC and CDD systems — risk classification, expected activity profile, occupation, source of wealth, jurisdiction — feeds the monitoring system to enable comparison of actual to expected activity.

Reference data

Sanctions lists, PEP databases, high-risk country lists, internal watchlists, and other reference data that scenarios need to evaluate transactions against.

Scenario engine

The core component running rules-based and behavioural scenarios against transaction data, generating alerts when criteria are met or anomalies detected.

Alert workflow

Alerts are routed to financial crime analysts for triage and investigation. Workflow systems manage prioritisation, assignment, investigation steps, escalation, and disposition tracking.

Investigation tools

Tools supporting analyst investigation — customer activity history visualisation, network analysis, search across multiple data sources, document review, external information lookup (sanctions, PEP, adverse media).

Case management

Case management systems track investigations from alert through to disposition, including SAR filing where applicable, internal escalation, and customer relationship review.

Reporting and analytics

Management information on alert volumes, investigation outcomes, SAR filing rates, and scenario effectiveness — supporting both operational management and senior management reporting.

The Alert Investigation Workflow

When a scenario triggers an alert, a structured investigation workflow follows:

Step 1: Alert receipt and triage

Alerts are routed to financial crime analysts based on priority, customer risk classification, and scenario type. Initial triage determines whether the alert warrants substantive investigation or can be cleared based on readily available information.

Step 2: Customer review

The analyst reviews the customer’s profile — KYC information, risk classification, account activity history, prior alerts and investigations, related parties.

Step 3: Transaction analysis

Detailed analysis of the alert-triggering activity — transaction parties, amounts, dates, geography, transaction patterns over time, comparison to expected activity.

Step 4: External information

Where the alert warrants, external information is gathered — adverse media checks, public records, customer outreach for clarification, third-party data lookups.

Step 5: Disposition decision

Based on the investigation, the analyst reaches a disposition decision:

• Clear (no further action) — investigation explains the activity, no suspicious elements identified
• Clear with reason — investigation explains the activity but documents the reasoning for future reference
• Customer outreach — clarification requested from the customer to support disposition
• Internal escalation — escalated to senior analyst, MLRO, or financial crime committee for further review
• SAR filing — confirmed suspicion warranting SAR submission to the NCA. See our SARs Guide
• Customer relationship review — broader review of the customer relationship including potential exit

Step 6: Documentation and case closure

The investigation process and disposition rationale is documented for audit trail and future reference. Case closure includes any feedback to the scenario tuning process.

The False Positive Challenge

Transaction monitoring generates substantial volumes of alerts, the majority of which prove on investigation to be false positives — activity flagged by scenarios but ultimately not suspicious. False positive rates of 90-98% are common across the industry, meaning analyst time is heavily skewed toward investigating activity that turns out to be legitimate.

The false positive challenge has several dimensions:

• Resource allocation — high false positive rates absorb analyst capacity that could otherwise be deployed on substantive investigation
• Analyst fatigue — high false positive ratios can lead to “alert fatigue” where genuine alerts receive insufficient investigation
• System effectiveness — high false positive rates may indicate poorly tuned scenarios that should be refined
• Cost-benefit balance — running monitoring at scale that generates predominantly false positives is operationally inefficient

Effective frameworks balance false positive management with detection effectiveness. Strategies include scenario tuning to reduce false positives without compromising detection, customer-specific calibration based on profile, machine learning prioritisation to surface higher-priority alerts, and analyst training and tooling improvements.

Scenario Calibration and Tuning

Scenario design and ongoing calibration is one of the most consequential operational disciplines in transaction monitoring. Strong calibration practice includes:

• Threshold review — periodic review of scenario thresholds against current customer base and transaction patterns
• Effectiveness assessment — measuring scenario performance through productive alert rates (alerts leading to SARs or other substantive action)
• Coverage gap analysis — identifying typologies or risk areas not covered by existing scenarios
• Below-the-line testing — sampling activity that fell below alert thresholds to confirm no suspicious activity is being missed
• Scenario governance — formal change control process for scenario changes, with model risk management discipline
• Regular tuning cycle — typically annual at minimum, with more frequent review of higher-risk scenarios

The FCA’s Effectiveness Focus

The FCA’s supervisory approach to transaction monitoring has evolved meaningfully over recent years, with increasing focus on operational effectiveness over documentary compliance:

Productive alert rates. The FCA examines what proportion of alerts lead to substantive action — SAR filings, internal escalation, customer relationship reviews. Frameworks generating high alert volumes with low productive rates are flagged.

Scenario coverage. The FCA examines whether scenarios cover the typologies relevant to the firm’s risk profile. Generic scenario sets that don’t reflect the firm’s specific risk exposures are inadequate.

Below-the-line assurance. Discipline around testing activity below alert thresholds is examined as evidence that the scenario framework is calibrated appropriately.

Investigation quality. Sample reviews of investigations examine whether analysts conducted substantive investigation or made disposition based on superficial review.

Model governance. For firms using behavioural or machine learning approaches, model governance discipline (development, validation, ongoing monitoring) is examined.

Senior management engagement. Whether senior management — the MLRO, the SMF1, the financial crime committee — engages substantively with transaction monitoring effectiveness or treats it as operational delegation.

Sector-Specific Transaction Monitoring

Banks and credit institutions

Bank transaction monitoring operates across enormous volumes — tens or hundreds of millions of transactions annually for larger banks. The technology requirements are substantial, the team capacity needed is large, and the calibration challenge is complex due to customer base diversity.

Payments and e-money firms

Payments firm monitoring focuses on transaction velocity, cross-border patterns, sanctions exposure on cross-border flows, fraud-AML integration, and the increasingly active FCA agenda on payments firm conduct. The post-2022 sanctions environment has substantially elevated the monitoring burden in this sector.

Wealth management and private banking

Wealth management monitoring focuses on lower volumes but higher value transactions, with substantial PEP and EDD overlay. Source of funds verification at transaction level is more prominent than in retail banking.

Asset management

Asset management monitoring is often delegated to fund administrators and transfer agents at investor level, with the firm retaining accountability and oversight responsibility.

Cryptoasset firms

Cryptoasset transaction monitoring includes blockchain analytics integration — tracing source of funds through blockchain transactions, screening against sanctioned wallet addresses, and identifying high-risk patterns specific to cryptoasset activity.

Common Transaction Monitoring Pitfalls

Generic scenario sets. Implementing vendor-default scenario sets without firm-specific calibration produces frameworks that don’t reflect the firm’s actual risk profile.

Over-reliance on rules-based monitoring. Where the framework consists exclusively of rules-based scenarios with no behavioural or anomaly-based detection, sophisticated suspicious activity may be missed entirely.

Inadequate scenario tuning. Scenarios implemented at go-live and not subsequently calibrated drift away from effectiveness as customer base and transaction patterns evolve.

Productive alert rates not measured. Frameworks that don’t measure what proportion of alerts lead to substantive action have no feedback mechanism to identify ineffective scenarios.

Below-the-line testing absent. No systematic sampling of below-threshold activity means the firm cannot demonstrate that its scenario coverage is appropriate.

Inadequate model governance for behavioural approaches. Where machine learning models are deployed without development documentation, validation, ongoing performance monitoring, and explainability work, the framework has model risk exposure.

Investigation workflow weakness. Where alerts are dispositioned by analysts under productivity pressure with limited substantive investigation, the framework’s effectiveness fails at the human review stage regardless of scenario quality.

Inadequate technology platform. Where the monitoring platform cannot handle transaction volume, integrate the data sources needed, or support the workflow effectively, operational issues compound.

Transaction Monitoring and Recruitment

Effective transaction monitoring requires several specialist roles:

• Head of Transaction Monitoring — overall accountability for the framework’s effectiveness, increasingly common as a dedicated role in larger firms
• Senior financial crime analysts — handling complex investigations, escalation cases, and SAR drafting
• Financial crime analysts — operational team handling alert triage and standard investigations
• Scenario design and calibration specialists — bridging financial crime knowledge and data analysis to design and tune scenarios
• Model risk management specialists — for firms using behavioural or machine learning approaches
• Financial crime technology specialists — owning monitoring platform effectiveness
• MLRO oversight — providing senior accountability for the framework and engaging with FCA dialogue. See our SMF17 Guide

The candidate market for senior transaction monitoring roles has tightened materially since 2022. Strong candidates with hands-on experience designing effective scenarios, leading calibration disciplines, and managing FCA dialogue on monitoring effectiveness are genuinely valuable.

Further Reading and Authoritative Sources

For the regulatory framework, see MLR 2017, particularly Regulation 28. For FCA expectations, see the Financial Crime Guide. The JMLSG Guidance provides detailed sector-specific implementation guidance for transaction monitoring.

Related Guides: AML and Financial Crime

Part of FD Capital’s series of practical guides for FCA-regulated firms: MLRO Guide — Pillar | Customer Due Diligence (CDD) | Enhanced Due Diligence (EDD) | Know Your Customer (KYC) | Politically Exposed Persons (PEPs) | Sanctions Screening | MLR 2017 Compliance Guide | Suspicious Activity Reports (SARs) | SMF17 — The MLRO Function