Transaction Monitoring Tuning: Balancing Detection and Noise

Transaction monitoring is only as good as its calibration. A system generating hundreds of unactionable alerts daily is not more effective than one generating ten meaningful ones — it may be less effective, because alert fatigue erodes the quality of the human review that makes monitoring useful.

Transaction monitoring — the automated detection of transactions that may indicate money laundering or terrorist financing — is a requirement of the MLR 2017 and a core component of every AML compliance framework at FCA-regulated firms. The challenge is not in having transaction monitoring: it is in having transaction monitoring that is calibrated to the firm’s actual risk profile, generates alerts that are genuinely investigable, and is reviewed and adjusted over time as the firm’s business and the financial crime landscape evolve.

The Fundamental Trade-off

Every transaction monitoring system operates within a sensitivity-specificity trade-off. Sensitivity is the system’s ability to detect genuine suspicious transactions — the proportion of actual money laundering activity that generates an alert. Specificity is the system’s ability to avoid alerting on legitimate transactions — the proportion of legitimate transactions that do not generate a false positive alert. These two objectives pull in opposite directions: increasing sensitivity typically reduces specificity and vice versa.

No monitoring system achieves perfect sensitivity and specificity simultaneously. The goal of tuning is to find the calibration point that maximises detection of genuinely suspicious activity while keeping the false positive rate at a level that the compliance team can review effectively — and that does not create alert fatigue that degrades the quality of investigation for every alert, including the genuine ones.

Scenario Development: Starting with the Right Questions

Transaction monitoring rules — the scenarios that trigger alerts — should be derived from the firm’s firm-wide risk assessment. If the risk assessment identifies a concentration of customers sending remittances to high-risk jurisdictions as an elevated risk, the monitoring should include a scenario targeting high-frequency low-value transfers to those jurisdictions. If the risk assessment identifies structuring — cash transactions deliberately kept below reporting thresholds — as a relevant risk, the monitoring should include a structuring detection scenario.

Many firms start with a standard set of scenarios provided by their monitoring system vendor. This is a reasonable starting point, but generic scenarios are calibrated to a generic customer profile — not the firm’s specific mix. A firm whose customers are predominantly retail consumers sending small domestic payments has a very different risk profile from one processing large cross-border corporate payments, and the scenarios that are meaningful for one will generate very different alert volumes for the other.

Threshold Setting and Calibration

Each monitoring scenario has one or more thresholds — the values at which the rule generates an alert. A velocity scenario might trigger at five or more transactions within 24 hours. A large transaction scenario might trigger at £10,000 or more. Choosing these thresholds is the core calibration task, and it requires empirical testing rather than guesswork.

Effective threshold calibration involves running the proposed scenario against historical transaction data to assess the resulting alert volume, the profile of alerted customers, and — where the data is available — the proportion of alerts that relate to previously identified suspicious activity. A threshold that generates 500 alerts per day, of which 498 close as false positives, is miscalibrated regardless of whether it is theoretically detecting the right pattern. The threshold should be adjusted until the alert volume is investigable and the proportion of alerts requiring escalation is meaningful.

Thresholds should also be set in the context of the customer segment they apply to. A £5,000 single transaction alert may be appropriate for a retail consumer product where most customers transact in hundreds of pounds, but will generate constant false positives on a corporate payments product where five-figure transactions are routine. Segmented thresholds — different values for different customer or product types — produce significantly better calibration than a single threshold applied across the whole customer base.

Alert Disposition and Quality

The quality of transaction monitoring is ultimately determined by the quality of alert disposition — how alerts are investigated and resolved. An alert that is closed in seconds with a note of “known customer, regular transaction” provides no value and represents a risk if the pattern it is flagging is genuinely suspicious. An alert that is investigated with reference to the customer’s profile, transaction history, stated business purpose and any available open-source intelligence provides evidence that the monitoring programme is functioning as intended.

Alert disposition quality should be monitored by the compliance function. Key indicators include: average time to close alerts; proportion of alerts escalated to the MLRO for SAR consideration; proportion of alerts escalated that result in a SAR filing; and proportion of alerts closed as false positives by reason. Trends in these indicators — particularly a rising false positive rate or a declining escalation rate — signal that the monitoring calibration may need review, or that the quality of analyst review is deteriorating.

Annual Review and Ongoing Maintenance

Transaction monitoring calibration is not a one-time exercise. The FCA expects firms to review their monitoring scenarios and thresholds at least annually, and additionally following: significant changes to the firm’s customer base or product range; new money laundering typologies identified by the NCA, FATF or industry bodies; significant changes to the firm’s geographic exposure; and internal findings — including SAR analysis and suspicious activity patterns identified by relationship managers — that suggest the existing scenarios are not capturing relevant risk.

The annual review should be documented and approved by the MLRO. The documentation should cover: the scenarios reviewed; the thresholds assessed; the rationale for any changes made; and the testing methodology used to validate the post-change calibration. This documentation is the evidence base for demonstrating to the FCA that the transaction monitoring programme is actively managed rather than passively operated.

FCA Supervisory Expectations

The FCA’s AML supervision consistently finds transaction monitoring as one of the most commonly deficient elements of firms’ financial crime frameworks. The most frequently identified failings are: scenarios that have not been reviewed or updated since initial implementation; thresholds that have not been calibrated to the firm’s actual customer profile; alert volumes that are too high to allow effective investigation; and alert disposition records that do not evidence genuine investigation. Firms that can demonstrate active, documented management of their monitoring calibration — supported by a trail of scenario reviews, threshold testing and alert quality metrics — consistently fare better in FCA supervisory engagement than those that treat monitoring as a set-and-forget compliance obligation.

Key References

• Money Laundering Regulations 2017
• NCA — UK Financial Intelligence Unit guidance