Fraud & Compliance / Learning brief
AML transaction monitoring
Your notes
In simple terms / 01
What this means in plain language
Anti-money-laundering transaction monitoring reviews many transactions over time for patterns that suggest financial crime, after they settle rather than in the payment path. Alerts that survive investigation become suspicious activity reports filed with the authorities.
Anti-money-laundering (AML) transaction monitoring looks across many transactions over time to find behaviour that may indicate money laundering or other financial crime. It is deliberately different from sanctions screening. Screening is a gate in the payment path: it compares each payment against lists and can stop it within seconds. Monitoring is a review after the fact: transactions accumulate in a data store, and detection scenarios run across that history — often overnight — to flag patterns a single payment would never reveal. Because it runs after settlement, monitoring does not usually stop a payment; it produces an alert. A trained investigator then examines the account, the customer's expected behaviour, and the surrounding activity. Most alerts turn out to be explainable and are closed with a documented reason. When suspicion remains, the institution files a suspicious activity report (SAR) with the national financial intelligence unit. The report, not a block, is the output of the control.
Complete lesson / 02
Understand the full idea, step by step
Think of two very different security jobs. One is the guard at the door, checking each person against a list before letting them in. The other reviews the night's camera footage the next morning, looking for the pattern no single frame could reveal. Sanctions screening is the guard. Anti-money-laundering transaction monitoring is the review of the footage — and confusing the two is one of the most common mistakes beginners make.
AML transaction monitoring — Anti-Money-Laundering
Transaction monitoring reviews many transactions over time for patterns that suggest financial crime. Transactions settle first, accumulate in a data store, and detection scenarios run across that history — commonly as overnight batch jobs, sometimes more frequently. Because the signal lives in the pattern — the sequence, the velocity, the relationships between accounts — monitoring works on behaviour over time, not on a single message in flight.
| Sanctions screening | AML transaction monitoring | |
|---|---|---|
| When it runs | Before execution — the payment is in flight | After settlement — across accumulated history |
| Question it answers | Is a party to this one payment on a list? | Does this account's behaviour over weeks look like crime? |
| Unit it examines | A single message | A pattern across many transactions |
| What it produces | A hold or a block on the payment | An alert for a human to investigate |
If monitoring spots laundering, why does it not just stop the payment like screening does?
Because by the time the pattern is visible, the individual payments have already gone. Screening can hold one payment because it judges that payment before it leaves. Monitoring judges a sequence, which only exists once the payments have settled and accumulated. So its output is not a block but an alert — a question raised for an investigator, not a verdict passed on a transaction. Some monitoring now runs closer to real time, and the boundary with fraud detection can blur, but the after-the-fact, pattern-level character is what defines the control.
What the scenarios look for
Detection scenarios encode patterns associated with money laundering, and they work by testing behaviour against expectation. One family compares activity to the customer's known profile — a personal account suddenly moving sums far beyond its declared income. Another looks at the shape of flows — funds arriving and leaving almost at once, or many small inbound amounts consolidated and moved onward. Others examine networks — accounts transacting in tight circles, or funds routed through several parties with no apparent economic purpose. Increasingly, statistical models supplement fixed rules, scoring how anomalous an account looks rather than testing one threshold.
From alert to outcome
- VALIDATION
A scenario fires against the settled history and creates an alert; the account and its activity enter a case.
- VALIDATION
Maya gathers the evidence: the transaction history, the customer's expected profile from KYC records, the counterparties, and any adverse media or prior alerts.
- VALIDATION
She decides whether the behaviour has a legitimate explanation. Most alerts do — they are closed with a documented rationale.
- NOTIFICATION
Where suspicion remains and cannot be explained away, the case is escalated toward a suspicious activity report; either way, the decision and its reasoning are recorded for later review.
COMMON CONFUSION
“An alert means the bank has caught a launderer.”
An alert is a question, not a finding. Many of these patterns have entirely legitimate explanations — a business with genuinely fast turnover, a one-off large sale — which is exactly why a human investigates before anything is reported. The control is working when it directs limited investigative attention to where risk is most concentrated, not when it produces the most alerts.
STRICTLY SPEAKING
Strictly speaking, which scenarios a bank runs, at what thresholds, and how often, are set by its own documented risk assessment — the relevant typologies differ by customer base, product, and geography, and an unexplained scenario setting is treated as a weakness in itself. Confirmed-suspicion outcomes and false-positive rates then feed back into which scenarios run and how they are tuned. The parameters are policy choices to point at, not fixed numbers to quote.
FOR NOW, REMEMBER
- Screening is a pre-execution gate on one payment; monitoring reviews settled activity over time for patterns.
- Monitoring does not usually stop a payment, because the pattern is only visible once the payments have gone — its output is an alert, not a block.
- Scenarios test behaviour against expectation: the customer's profile, the shape of flows, and the network of counterparties.
- An alert is a question a human must investigate; most have legitimate explanations, and every decision is documented.
TRY IT YOURSELF
A customer's account shows funds arriving and leaving within minutes, repeatedly, over three weeks. Which control is designed to surface this, and what does surfacing it produce?
We named a few shapes monitoring looks for. The next lesson names them properly — structuring, rapid movement, round-tripping — as detection signals, and shows how scenarios surface each one.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
AML (anti-money-laundering) transaction monitoring detects patterns across many transactions after they settle, unlike real-time screening, which stops a single payment at a gate.
- 02
It flags behaviour, not names — activity that is unusual for the customer or consistent with known money-laundering patterns — and produces alerts, not automatic blocks.
- 03
An alert that survives investigation becomes a suspicious activity report (SAR) filed with the authorities; the payment has usually already settled.
Practical use cases / 04
Where you would use this
Monitoring teams review scenario alerts each day, clearing explainable activity and escalating cases where the behaviour has no legitimate explanation.
Investigators assemble the account history, customer profile, and counterparties into a case to decide whether to file a suspicious activity report.
Financial-crime risk teams tune scenario thresholds against the institution's risk assessment to balance missed activity against false-positive volume.
Worked example / 05
Put the idea into a real situation
Illustrative example: a fictional bank, Harbour Union Bank, monitors an account belonging to Kite & Co, a small consultancy whose declared profile is a few large invoices per month. A detection scenario flags the account after it receives 43 inbound transfers of between EUR 2,800.00 and EUR 3,400.00 within eight days, followed by near-total withdrawals. Nothing was stopped in real time — the payments settled. An investigator compares the pattern against the expected profile, finds no matching business rationale, and cannot explain it from the file. The case is escalated and a suspicious activity report (SAR) is filed with the financial intelligence unit within the required deadline. The account behaviour over time, not any single payment, is what the control caught.
Evidence & review / 07
Evidence & review
AML transaction monitoring as a post-settlement, pattern-level control, contrasted with pre-execution sanctions screening; scenario libraries, thresholds, and run cadence are institution- and jurisdiction-specific.
What this brief simplifies: Describes monitoring as batch-oriented for clarity; real programmes mix batch, intraday, and near-real-time monitoring, use both rules and statistical models, and vary the alert-to-case workflow. No thresholds or timing parameters are stated as fixed numbers.
Sources for this brief3
- Official requirement
The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation ↗ — Financial Action Task Force · Recommendation 20 (suspicious transaction reporting); Recommendation 1 (risk-based approach)
Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.
- Market practice
Wolfsberg Group Payment Transparency Standards ↗ — The Wolfsberg Group · Distinction between real-time screening and post-settlement monitoring
The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal · Maya's rapid-movement case and the screening-vs-monitoring comparison
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.