How transaction monitoring meets the Money Laundering Regulations, what the FCA expects on tuning and alerts, and the link to suspicious activity reports.

Transaction monitoring is the day to day engine of anti money laundering compliance. It is the process by which a firm scrutinises the payments, transfers and account activity flowing through a business relationship, and asks a simple question of each one: does this fit what we know about this customer? When activity does not fit, the firm investigates, and where suspicion arises it reports. Done well, monitoring turns customer due diligence from a one off onboarding exercise into a living control. Done badly, it produces a flood of alerts nobody can work through and a false sense of safety.
The obligation is not optional. Regulation 28(11) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires firms to conduct ongoing monitoring of every business relationship. The Financial Conduct Authority sets clear expectations on how monitoring systems should be built, calibrated and reviewed, and the Joint Money Laundering Steering Group provides detailed guidance on making it work in practice. Weak monitoring is one of the failings the FCA finds most often in its financial crime supervision.
This guide sets out what the law requires, how rules based and behavioural approaches differ, how alerts move from generation to investigation to a suspicious activity report, and how to keep a system tuned so it detects real risk without drowning your team in noise. It is written for compliance officers, MLROs and operations teams who need a practical, UK grounded reference.
The starting point is regulation 28(11) of the Money Laundering Regulations 2017. It defines ongoing monitoring of a business relationship as, first, the scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile. Second, it requires undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up to date.
Two things follow from that wording. Monitoring is a continuing obligation that runs for the life of the relationship, not a check performed only at onboarding. And it is explicitly tied back to what the firm knows about the customer, which means monitoring is only as good as the customer due diligence that underpins it. Stale occupation data, missing information on the expected purpose of an account, or an out of date risk rating will all undermine the ability to judge whether a transaction is consistent with the customer profile.
The regulations also require firms to be able to demonstrate to their supervisor that the extent of the measures taken is appropriate in view of the money laundering and terrorist financing risks they face, including the risks identified in their own written risk assessment. Monitoring is therefore risk based by design: the intensity of scrutiny should reflect the risk presented by the customer, product and channel, rather than applying a single flat approach across the book.
Most firms rely on some form of automated monitoring, and the FCA recognises the use of an automated system to monitor transactions as good practice. There are two broad approaches, and mature programmes usually combine them. Rules based monitoring applies fixed scenarios and thresholds: for example, a cash deposit above a set amount, a payment to a higher risk jurisdiction, or a pattern of transfers just below a reporting threshold. It is transparent and easy to explain, which matters because the FCA expects staff to understand the threshold and rule rationales.
Behavioural monitoring, sometimes called anomaly detection, builds a picture of what is normal for an individual customer or peer group and flags departures from that baseline. It can catch activity that no single fixed rule would trigger, such as a gradual change in behaviour or a transaction that is unremarkable in isolation but unusual for that particular customer. The FCA points firms towards taking a holistic view of customer behaviour and drawing on a range of data rather than relying on transaction by transaction analysis alone, and towards monitoring at multiple levels, including the transaction, account, customer and linked entity.
Neither approach is a silver bullet. Rules can be brittle and generate high volumes of routine alerts. Behavioural models can be opaque, and the FCA warns against a lack of an understanding of what the system is detecting and why. The practical answer is to tailor the monitoring rules to your business, risk and relevant typologies, to test them against known cases, and to keep records that explain why each rule exists. If you are designing controls across payments and onboarding, our transaction monitoring and control tooling is built around these same regulatory expectations.
| Feature | Rules based monitoring | Behavioural monitoring |
|---|---|---|
| How it works | Fixed scenarios and thresholds applied to every transaction | Compares activity against a learned baseline for the customer or peer group |
| Strengths | Transparent, explainable, easy to evidence to a supervisor | Detects subtle anomalies and gradual changes no single rule would catch |
| Weaknesses | Can be brittle and generate high volumes of routine alerts | Can be opaque; harder to explain what it detects and why |
| FCA expectation | Understand the threshold and rule rationales; tailor to typologies | Take a holistic view of behaviour across transaction, account and customer |
| Best used for | Clear regulatory triggers and known typologies | Complex relationships and evolving patterns of activity |
Monitoring generates value only when alerts are investigated and acted on. When a rule fires or a model flags an anomaly, an analyst reviews the alert against the customer profile, transaction history and any supporting information, then reaches a decision. Many alerts are closed as consistent with the customer's known activity. Where activity cannot be rationally explained, it may point to money laundering or terrorist financing, and the analyst escalates it.
The reporting duty sits in the Proceeds of Crime Act 2002. Under section 330, a person in the regulated sector must make a disclosure where they know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering, and the information came to them in the course of business in the regulated sector. That disclosure is made to the firm's nominated officer, usually the Money Laundering Reporting Officer, or to a person authorised by the National Crime Agency, as soon as is practicable.
The nominated officer then decides whether the internal report meets the threshold for an external suspicious activity report to the National Crime Agency. The NCA describes suspicious activity reports as a vital source of intelligence that alert law enforcement to potential money laundering or terrorist financing, and confirms that organisations in the regulated sector have a legal obligation to submit them. Reports go to the UK Financial Intelligence Unit, which the NCA says receives more than 850,000 SARs a year. A clear, well evidenced audit trail from alert to decision to report is essential, both for effectiveness and to defend the firm's judgement later.
The most common operational problem in monitoring is volume. Poorly calibrated systems generate far more alerts than a team can meaningfully investigate, and the vast majority close without any suspicion. High alert volumes are not a sign of thoroughness. They are usually a sign that thresholds are set without reference to the customer base, or that rules fire on incomplete data. The FCA identifies poorly calibrated systems, and firms that struggle to articulate the rationale for their rules, as poor practice.
A key driver of false positives is data quality upstream of the system. When occupation, expected activity or beneficial ownership information is missing or stale, rules fire on incomplete context and produce noise. Remediating customer due diligence data before deploying or retuning models generally yields better precision than tuning in isolation. This is the practical meaning of the regulation 28(11) link between monitoring and the firm's knowledge of the customer.
Where firms use automated methods to triage the alerts a system produces, the FCA expects that to be justified within the context of the firm's overall approach to monitoring. Triage should speed up genuine investigation, not quietly suppress alerts. A useful discipline is to track a small set of metrics: average time to close an alert, the proportion of alerts escalated to the MLRO, the proportion of escalations that result in a report, and the reasons alerts are closed as false positives. Those numbers reveal whether a programme is actually managed or merely running.
Deficiencies the FCA highlights as poor practice in monitoring transactions and activity, illustrating recurring weaknesses rather than measured frequencies.
Monitoring is not a system you switch on and leave. The FCA treats an actively managed programme as good practice and an unmanaged one as a failing. Good practice includes tailoring the monitoring system rules to the firm's business, risk and relevant typologies, testing and reviewing rules for the right outcomes, and ensuring staff understand the threshold and rule rationales. New approaches should be piloted or subject to evaluation periods with appropriate testing before they go live.
Record keeping is central. The FCA expects firms to document their decision making, including how thresholds were set, how any model was trained, and the rationale for changes. When a firm decides to switch off or replace a rule or system, it should be able to justify that decision by comparing the relative merits and forming a robust judgement about the system's usefulness. Poor practice includes using off the shelf systems without calibration to the firm's individual needs and failing to review them regularly.
JMLSG guidance reinforces the same message: monitoring arrangements should be risk based and driven by the nature, size and complexity of the firm's business, and firms should regularly review current rules and thresholds to ensure they remain effective and incorporate known and evolving typologies. In practice that means an annual, documented calibration review at minimum, covering which scenarios were assessed, what changed and why, and how the change was tested. Firms running high volume payment flows should pay particular attention to threshold design, since generic defaults rarely fit a busy book.
Effective calibration starts from the typologies that actually threaten your business. Rules and behavioural models should be mapped to recognised money laundering patterns, then tested to confirm they would fire on realistic examples. The table below sets out typologies that firms commonly build scenarios around. It is illustrative rather than exhaustive, and each firm should derive its own priorities from its written risk assessment.
The point of mapping rules to typologies is twofold. It gives you a defensible rationale for each rule, which the FCA expects you to be able to articulate. And it lets you spot coverage gaps, where a known risk in your risk assessment has no corresponding detection logic. When criminals abuse a facility, the FCA regards learning from that incident and improving your methods as good practice, so typology coverage should evolve as new patterns emerge.
| Typology | What monitoring looks for | Why it matters |
|---|---|---|
| Structuring | Multiple transactions kept just below thresholds | Designed to evade reporting and detection triggers |
| Rapid movement of funds | Money in and quickly out with little economic purpose | Classic layering to distance funds from their origin |
| Inconsistent activity | Transactions that do not fit the customer's known profile | Directly engages the regulation 28(11) consistency test |
| Higher risk geographies | Payments to or from higher risk jurisdictions | Elevated exposure to money laundering and sanctions risk |
| Third party funding | Funds from or to unexplained third parties | May conceal the true source or beneficiary of funds |
Transaction monitoring is where anti money laundering compliance is tested. The legal duty in regulation 28(11) of the Money Laundering Regulations 2017 is straightforward: scrutinise transactions throughout the relationship to check they are consistent with what you know about the customer, and keep that knowledge current. The hard part is doing it in a way that detects real risk without generating unmanageable noise. That requires the right blend of rules based and behavioural monitoring, calibration to your actual customer base, and a disciplined workflow that moves alerts from generation to investigation to, where warranted, a suspicious activity report.
The FCA's expectations are consistent and quite specific. Understand what your system detects and why, tailor rules to your business and typologies, test and review them, keep clear records, and be able to justify every threshold and every decision to switch a rule off. Get those fundamentals right and monitoring becomes a genuine control rather than a compliance liability. If you want to see how a modern platform supports calibrated, evidenced monitoring, you can request a demo and walk through it with our team.
Yes. Regulation 28(11) of the Money Laundering Regulations 2017 requires firms to conduct ongoing monitoring, which includes scrutinising transactions throughout a business relationship to ensure they are consistent with the firm's knowledge of the customer, and keeping customer due diligence information up to date.
Rules based monitoring applies fixed scenarios and thresholds and is transparent and easy to explain. Behavioural monitoring compares activity against a learned baseline for the customer or peer group and detects anomalies no single rule would catch. The FCA encourages a holistic view drawing on both, across transaction, account and customer levels.
When an alert cannot be rationally explained, the analyst escalates it. Under section 330 of the Proceeds of Crime Act 2002, a disclosure must be made to the nominated officer or MLRO as soon as practicable. The MLRO then decides whether to submit a suspicious activity report to the National Crime Agency's UK Financial Intelligence Unit.
Usually because thresholds are set without reference to the customer base, or because rules fire on incomplete or stale customer data. The FCA identifies poorly calibrated systems and firms that cannot articulate the rationale for their rules as poor practice. Improving customer due diligence data quality often reduces false positives more than tuning alone.
The FCA expects an actively managed programme, with rules tailored to typologies, tested and reviewed for the right outcomes, and clearly documented. Good practice is at least an annual, documented calibration review covering which scenarios were assessed, what changed, why, and how the change was tested. JMLSG guidance similarly expects rules and thresholds to be reviewed regularly.
Using an automated system that is tailored to the firm's business, risk and relevant typologies; understanding what the system detects and why; taking a holistic view of customer behaviour; testing and reviewing rules; keeping good records of thresholds and decisions; and being able to justify decommissioning a rule or system when it is replaced.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.