Transaction monitoring is the single AML control that consumes the most operational time and produces the most regulator-facing evidence. It is also the control most often outsourced to a vendor with a default rule set, which leaves the platform's compliance team reviewing alerts that have very little to do with the platform's actual risk.
The fix is not a different vendor. It is the discipline of treating monitoring rules as a calibrated control — owned by compliance, reviewed regularly, and tuned to the flows that matter.
What "off-the-shelf" gets wrong
- Generic dollar thresholds. A $10,000 single-transaction threshold makes sense for some businesses. For others, it sits below median customer activity and produces thousands of false positives. For still others, it sits two standard deviations above any real customer transaction and never fires.
- Pattern rules calibrated to retail banking. Structuring rules and round-trip rules calibrated for personal accounts make a lot of false positives in a marketplace, payroll, or B2B-payments context.
- Sanctions screening with no escalation logic. A vendor screens names; a real control includes the disposition workflow — who reviews matches, with what tools, on what timeline, with what documentation.
- One-size velocity rules. "More than five transactions in an hour" is a different signal for a crypto platform than for a remittance business than for a payment processor.
The calibration workflow
1. Start from the risk assessment
Monitoring rules should be derived from the risk assessment — not adopted from a vendor's defaults and reconciled with the assessment afterward. If the risk assessment names cross-border money movement to high-risk jurisdictions as a primary risk, the monitoring rules should target it specifically.
2. Profile the actual flows
Before any rule is configured, look at the distribution of real transactions across the business. Median, 75th percentile, 95th percentile, 99th percentile. By customer segment. By corridor. By product. Rules without this baseline are guesses.
3. Set thresholds against the distribution, not against the regulation
The $10,000 LCTR reporting threshold is a reporting obligation, not a monitoring rule. Monitoring rules are tuned to catch the patterns that lead to suspicious-transaction reports, structuring, and sanctions evasion — most of which happen below the reporting threshold. A platform whose largest typical transaction is $2,500 should have monitoring rules calibrated for that scale.
4. Build rules in layers
- Hard-stop rules: sanctions hits, blocked jurisdictions, prohibited customer types. These produce alerts that must be reviewed before the transaction proceeds (or, in some architectures, are blocked outright).
- Investigative rules: patterns suggestive of structuring, layering, unusual velocity, or unusual destinations. These produce alerts reviewed within a defined window — usually 24 to 72 hours.
- Periodic-review rules: patterns visible only over time — gradual escalation, cumulative thresholds, multi-account aggregation. These run on a rolling basis and feed customer reviews rather than individual transaction reviews.
5. Tune by looking at outcomes
Every month, look at: how many alerts each rule produced, how many became STRs, how many became case escalations, how many were closed with no finding. Rules with 99% no-finding closures are noise; either retire them or tighten them. Rules with 0% findings may need to be loosened — or may indicate a real flow pattern your rule shape is missing.
6. Document the methodology
Examiners will ask why a threshold is set where it is. "The vendor's default" is not an answer. "The 95th percentile of customer activity in this corridor, with a 20% buffer, set by the compliance officer on [date] and reviewed quarterly" is.
Common rule families and what to watch for
- Structuring detection: calibrate to the reporting threshold relevant to your activity, but also to your average ticket size. Below-threshold structuring at half the standard threshold catches more in a remittance business than in a B2B-payments context.
- Unusual destination: "first transaction to this country" or "first transaction to this counterparty" rules work well when the customer base has stable corridors. They produce noise in marketplaces.
- Velocity: tune to the customer segment. A power user with daily transactions is a velocity signal in one business and normal in another.
- Round-trip: funds in and back out within a short window. Strong signal in crypto on/off-ramp contexts; less informative in payment-processor contexts.
- Sanctions and PEP: the rule fires; the human review and the documented disposition are the control. Examiners read disposition logs more than they read rule descriptions.
What "calibrated" looks like in practice
- Each active monitoring rule has a documented purpose, threshold derivation, and review date.
- The compliance officer (or AML lead) signs off on the rule set quarterly.
- Alert volumes are tracked by rule, with retirement or re-tuning when no-finding rates exceed a defined threshold.
- STR filings can be traced back to specific alerts, with the rule and threshold visible.
- The relationship between rules and the risk assessment is explicit and updated when either changes.