Governance, Risk & Compliance

Transaction Monitoring for AML: A Practical Guide for UK Firms

How transaction monitoring meets the Money Laundering Regulations, what the FCA expects on tuning and alerts, and the link to suspicious activity reports.

8 min read Published 17 Jul 2026
Transaction Monitoring for AML: A Practical Guide for UK Firms

Transaction monitoring is the day to day engine of anti money laundering compliance. It is the process by which a firm scrutinises the payments, transfers and account activity flowing through a business relationship, and asks a simple question of each one: does this fit what we know about this customer? When activity does not fit, the firm investigates, and where suspicion arises it reports. Done well, monitoring turns customer due diligence from a one off onboarding exercise into a living control. Done badly, it produces a flood of alerts nobody can work through and a false sense of safety.

The obligation is not optional. Regulation 28(11) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires firms to conduct ongoing monitoring of every business relationship. The Financial Conduct Authority sets clear expectations on how monitoring systems should be built, calibrated and reviewed, and the Joint Money Laundering Steering Group provides detailed guidance on making it work in practice. Weak monitoring is one of the failings the FCA finds most often in its financial crime supervision.

This guide sets out what the law requires, how rules based and behavioural approaches differ, how alerts move from generation to investigation to a suspicious activity report, and how to keep a system tuned so it detects real risk without drowning your team in noise. It is written for compliance officers, MLROs and operations teams who need a practical, UK grounded reference.

The starting point is regulation 28(11) of the Money Laundering Regulations 2017. It defines ongoing monitoring of a business relationship as, first, the scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile. Second, it requires undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up to date.

Two things follow from that wording. Monitoring is a continuing obligation that runs for the life of the relationship, not a check performed only at onboarding. And it is explicitly tied back to what the firm knows about the customer, which means monitoring is only as good as the customer due diligence that underpins it. Stale occupation data, missing information on the expected purpose of an account, or an out of date risk rating will all undermine the ability to judge whether a transaction is consistent with the customer profile.

The regulations also require firms to be able to demonstrate to their supervisor that the extent of the measures taken is appropriate in view of the money laundering and terrorist financing risks they face, including the risks identified in their own written risk assessment. Monitoring is therefore risk based by design: the intensity of scrutiny should reflect the risk presented by the customer, product and channel, rather than applying a single flat approach across the book.

1
Scrutinise transactions
Review activity throughout the relationship, including source of funds where needed.
2
Test consistency
Check activity against the customer's known business and risk profile.
3
Refresh records
Review existing records and keep customer due diligence information up to date.
4
Demonstrate proportionality
Show the supervisor your monitoring reflects the risks you identified.

Rules based and behavioural monitoring compared

Most firms rely on some form of automated monitoring, and the FCA recognises the use of an automated system to monitor transactions as good practice. There are two broad approaches, and mature programmes usually combine them. Rules based monitoring applies fixed scenarios and thresholds: for example, a cash deposit above a set amount, a payment to a higher risk jurisdiction, or a pattern of transfers just below a reporting threshold. It is transparent and easy to explain, which matters because the FCA expects staff to understand the threshold and rule rationales.

Behavioural monitoring, sometimes called anomaly detection, builds a picture of what is normal for an individual customer or peer group and flags departures from that baseline. It can catch activity that no single fixed rule would trigger, such as a gradual change in behaviour or a transaction that is unremarkable in isolation but unusual for that particular customer. The FCA points firms towards taking a holistic view of customer behaviour and drawing on a range of data rather than relying on transaction by transaction analysis alone, and towards monitoring at multiple levels, including the transaction, account, customer and linked entity.

Neither approach is a silver bullet. Rules can be brittle and generate high volumes of routine alerts. Behavioural models can be opaque, and the FCA warns against a lack of an understanding of what the system is detecting and why. The practical answer is to tailor the monitoring rules to your business, risk and relevant typologies, to test them against known cases, and to keep records that explain why each rule exists. If you are designing controls across payments and onboarding, our transaction monitoring and control tooling is built around these same regulatory expectations.

FeatureRules based monitoringBehavioural monitoring
How it worksFixed scenarios and thresholds applied to every transactionCompares activity against a learned baseline for the customer or peer group
StrengthsTransparent, explainable, easy to evidence to a supervisorDetects subtle anomalies and gradual changes no single rule would catch
WeaknessesCan be brittle and generate high volumes of routine alertsCan be opaque; harder to explain what it detects and why
FCA expectationUnderstand the threshold and rule rationales; tailor to typologiesTake a holistic view of behaviour across transaction, account and customer
Best used forClear regulatory triggers and known typologiesComplex relationships and evolving patterns of activity
Rules based and behavioural monitoring compared. Most effective programmes use both.

From alert to suspicious activity report

Monitoring generates value only when alerts are investigated and acted on. When a rule fires or a model flags an anomaly, an analyst reviews the alert against the customer profile, transaction history and any supporting information, then reaches a decision. Many alerts are closed as consistent with the customer's known activity. Where activity cannot be rationally explained, it may point to money laundering or terrorist financing, and the analyst escalates it.

The reporting duty sits in the Proceeds of Crime Act 2002. Under section 330, a person in the regulated sector must make a disclosure where they know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering, and the information came to them in the course of business in the regulated sector. That disclosure is made to the firm's nominated officer, usually the Money Laundering Reporting Officer, or to a person authorised by the National Crime Agency, as soon as is practicable.

The nominated officer then decides whether the internal report meets the threshold for an external suspicious activity report to the National Crime Agency. The NCA describes suspicious activity reports as a vital source of intelligence that alert law enforcement to potential money laundering or terrorist financing, and confirms that organisations in the regulated sector have a legal obligation to submit them. Reports go to the UK Financial Intelligence Unit, which the NCA says receives more than 850,000 SARs a year. A clear, well evidenced audit trail from alert to decision to report is essential, both for effectiveness and to defend the firm's judgement later.

1
Alert generated
A monitoring rule fires or a model flags activity as anomalous.
2
Analyst investigates
Review against customer profile, history and any supporting information.
3
Decision recorded
Close as explained, or escalate where activity cannot be rationally explained.
4
Internal report
Disclose to the nominated officer or MLRO as soon as is practicable.
5
MLRO assessment
Nominated officer decides whether the suspicion warrants an external report.
6
SAR to the NCA
Where warranted, submit a suspicious activity report to the UKFIU.

False positives, alert volumes and effective triage

The most common operational problem in monitoring is volume. Poorly calibrated systems generate far more alerts than a team can meaningfully investigate, and the vast majority close without any suspicion. High alert volumes are not a sign of thoroughness. They are usually a sign that thresholds are set without reference to the customer base, or that rules fire on incomplete data. The FCA identifies poorly calibrated systems, and firms that struggle to articulate the rationale for their rules, as poor practice.

A key driver of false positives is data quality upstream of the system. When occupation, expected activity or beneficial ownership information is missing or stale, rules fire on incomplete context and produce noise. Remediating customer due diligence data before deploying or retuning models generally yields better precision than tuning in isolation. This is the practical meaning of the regulation 28(11) link between monitoring and the firm's knowledge of the customer.

Where firms use automated methods to triage the alerts a system produces, the FCA expects that to be justified within the context of the firm's overall approach to monitoring. Triage should speed up genuine investigation, not quietly suppress alerts. A useful discipline is to track a small set of metrics: average time to close an alert, the proportion of alerts escalated to the MLRO, the proportion of escalations that result in a report, and the reasons alerts are closed as false positives. Those numbers reveal whether a programme is actually managed or merely running.

Where transaction monitoring commonly falls short

Deficiencies the FCA highlights as poor practice in monitoring transactions and activity, illustrating recurring weaknesses rather than measured frequencies.

Poorly calibrated to the customer base5%
Rationale for rules not articulated4%
Off-the-shelf system not tailored4%
No understanding of what the system detects3%
Rules not reviewed after implementation3%

Tuning, calibration and reviewing your rules

Monitoring is not a system you switch on and leave. The FCA treats an actively managed programme as good practice and an unmanaged one as a failing. Good practice includes tailoring the monitoring system rules to the firm's business, risk and relevant typologies, testing and reviewing rules for the right outcomes, and ensuring staff understand the threshold and rule rationales. New approaches should be piloted or subject to evaluation periods with appropriate testing before they go live.

Record keeping is central. The FCA expects firms to document their decision making, including how thresholds were set, how any model was trained, and the rationale for changes. When a firm decides to switch off or replace a rule or system, it should be able to justify that decision by comparing the relative merits and forming a robust judgement about the system's usefulness. Poor practice includes using off the shelf systems without calibration to the firm's individual needs and failing to review them regularly.

JMLSG guidance reinforces the same message: monitoring arrangements should be risk based and driven by the nature, size and complexity of the firm's business, and firms should regularly review current rules and thresholds to ensure they remain effective and incorporate known and evolving typologies. In practice that means an annual, documented calibration review at minimum, covering which scenarios were assessed, what changed and why, and how the change was tested. Firms running high volume payment flows should pay particular attention to threshold design, since generic defaults rarely fit a busy book.

1
Assess scenarios
Review which rules and typologies are in scope and still relevant.
2
Calibrate thresholds
Set thresholds to the customer base, not generic defaults.
3
Test changes
Validate against historical and known cases before deployment.
4
Document rationale
Record what changed, why, and how it was tested.

Common typologies monitoring should be tuned to catch

Effective calibration starts from the typologies that actually threaten your business. Rules and behavioural models should be mapped to recognised money laundering patterns, then tested to confirm they would fire on realistic examples. The table below sets out typologies that firms commonly build scenarios around. It is illustrative rather than exhaustive, and each firm should derive its own priorities from its written risk assessment.

The point of mapping rules to typologies is twofold. It gives you a defensible rationale for each rule, which the FCA expects you to be able to articulate. And it lets you spot coverage gaps, where a known risk in your risk assessment has no corresponding detection logic. When criminals abuse a facility, the FCA regards learning from that incident and improving your methods as good practice, so typology coverage should evolve as new patterns emerge.

TypologyWhat monitoring looks forWhy it matters
StructuringMultiple transactions kept just below thresholdsDesigned to evade reporting and detection triggers
Rapid movement of fundsMoney in and quickly out with little economic purposeClassic layering to distance funds from their origin
Inconsistent activityTransactions that do not fit the customer's known profileDirectly engages the regulation 28(11) consistency test
Higher risk geographiesPayments to or from higher risk jurisdictionsElevated exposure to money laundering and sanctions risk
Third party fundingFunds from or to unexplained third partiesMay conceal the true source or beneficiary of funds
Illustrative typologies to map monitoring rules against. Prioritise those relevant to your own risk assessment.

Conclusion

Transaction monitoring is where anti money laundering compliance is tested. The legal duty in regulation 28(11) of the Money Laundering Regulations 2017 is straightforward: scrutinise transactions throughout the relationship to check they are consistent with what you know about the customer, and keep that knowledge current. The hard part is doing it in a way that detects real risk without generating unmanageable noise. That requires the right blend of rules based and behavioural monitoring, calibration to your actual customer base, and a disciplined workflow that moves alerts from generation to investigation to, where warranted, a suspicious activity report.

The FCA's expectations are consistent and quite specific. Understand what your system detects and why, tailor rules to your business and typologies, test and review them, keep clear records, and be able to justify every threshold and every decision to switch a rule off. Get those fundamentals right and monitoring becomes a genuine control rather than a compliance liability. If you want to see how a modern platform supports calibrated, evidenced monitoring, you can request a demo and walk through it with our team.

Frequently asked questions

Is transaction monitoring a legal requirement in the UK?

Yes. Regulation 28(11) of the Money Laundering Regulations 2017 requires firms to conduct ongoing monitoring, which includes scrutinising transactions throughout a business relationship to ensure they are consistent with the firm's knowledge of the customer, and keeping customer due diligence information up to date.

What is the difference between rules based and behavioural monitoring?

Rules based monitoring applies fixed scenarios and thresholds and is transparent and easy to explain. Behavioural monitoring compares activity against a learned baseline for the customer or peer group and detects anomalies no single rule would catch. The FCA encourages a holistic view drawing on both, across transaction, account and customer levels.

How does monitoring lead to a suspicious activity report?

When an alert cannot be rationally explained, the analyst escalates it. Under section 330 of the Proceeds of Crime Act 2002, a disclosure must be made to the nominated officer or MLRO as soon as practicable. The MLRO then decides whether to submit a suspicious activity report to the National Crime Agency's UK Financial Intelligence Unit.

Why do transaction monitoring systems produce so many false positives?

Usually because thresholds are set without reference to the customer base, or because rules fire on incomplete or stale customer data. The FCA identifies poorly calibrated systems and firms that cannot articulate the rationale for their rules as poor practice. Improving customer due diligence data quality often reduces false positives more than tuning alone.

How often should monitoring rules be reviewed and tuned?

The FCA expects an actively managed programme, with rules tailored to typologies, tested and reviewed for the right outcomes, and clearly documented. Good practice is at least an annual, documented calibration review covering which scenarios were assessed, what changed, why, and how the change was tested. JMLSG guidance similarly expects rules and thresholds to be reviewed regularly.

What does the FCA regard as good practice in transaction monitoring?

Using an automated system that is tailored to the firm's business, risk and relevant typologies; understanding what the system detects and why; taking a holistic view of customer behaviour; testing and reviewing rules; keeping good records of thresholds and decisions; and being able to justify decommissioning a rule or system when it is replaced.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide