AML Transaction Monitoring: Rules, Thresholds and Red Flags

AML transaction monitoring is the continuous process of analysing customer financial activity to detect patterns indicative of money laundering or terrorist financing. In the UK, it is a mandatory requirement under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and the Proceeds of Crime Act 2002 (POCA), enforced by the Financial Conduct Authority (FCA).

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

What Is AML Transaction Monitoring?

AML transaction monitoring means systematically reviewing customer transactions — individually and in aggregate — to identify activity inconsistent with the customer's known risk profile. As of January 2026, the FCA has confirmed it will become the single AML supervisor for professional services firms, consolidating oversight previously fragmented across the Solicitors Regulation Authority (SRA) and the Institute of Chartered Accountants in England and Wales (ICAEW) (A&O Shearman, Financial Services Horizon Report 2026).

The monitoring process follows three stages:

1. Rule configuration: defining detection scenarios based on thresholds, typologies, and expected behaviour for each customer risk segment.
2. Alert generation: transactions matching a scenario trigger an automated alert for review.
3. Investigation and decision: compliance analysts examine alerts, determine whether they represent genuine risk, and escalate suspicious cases for a Suspicious Activity Report (SAR) submission to the National Crime Agency (NCA).

The FCA does not prescribe exact rules or threshold values — instead, firms must adopt a risk-based approach calibrated to their customer base, products, and geography.

UK Regulatory Framework: FCA, NCA and the MLRs

The UK framework rests on three statutory pillars. The Money Laundering Regulations 2017 (SI 2017/692) require all regulated firms to implement ongoing monitoring of business relationships as part of customer due diligence (CDD), with enhanced due diligence (EDD) for higher-risk customers (MLRs 2017, Regulation 28).

The FCA Handbook — specifically SYSC 6.3 — requires firms to establish and maintain systems and controls to detect and prevent financial crime. Firms that fail to monitor adequately face significant enforcement action: the FCA fined Metro Bank £16.6 million in 2023 for failing to adequately monitor over 60 million transactions between June 2016 and December 2020, demonstrating the regulator's willingness to take action against systemic failures.

Suspected money laundering must be reported to the NCA via a SAR under Part 7 of POCA 2002. Filing a SAR also provides a "consent" defence, allowing a firm to proceed with a transaction that might otherwise constitute a principal money laundering offence.

Detection Rules: Configuring Your Monitoring System

Transaction monitoring rules translate regulatory risk expectations into operational alerts. They should be documented, tested, and updated regularly as criminal typologies evolve.

Static rule sets carry a significant operational cost: industry benchmarks show that up to 95% of alerts generated by purely rule-based systems are false positives, draining compliance team resources. Calibrating rules with behavioural analytics and machine learning reduces this ratio while maintaining detection coverage.

Compliance professionals frequently raise two concrete pain points: the time cost of false positive investigations — typically 20–30 minutes per alert — and the challenge of setting appropriate thresholds across different customer segments (retail vs. corporate, domestic vs. cross-border).

Key Red Flags for AML Transaction Monitoring

A red flag triggers an investigation; it is not a conclusion. The Joint Money Laundering Steering Group (JMLSG) Guidance — last revised in 2024 — identifies sector-specific indicators that firms must incorporate into their monitoring systems (JMLSG Guidance 2024).

Core red flags to incorporate in your system:

• Behavioural anomalies: refusal to provide requested information, implausible explanations for unusual transactions, unexplained urgency.
• Geographic risk: transactions involving jurisdictions on the FATF grey or black lists, or HM Treasury's list of high-risk third countries (FATF High-Risk Jurisdictions, February 2026).
• Structuring (smurfing): multiple transactions slightly below £10,000 completed within a short window — a direct attempt to evade reporting obligations.
• Rapid fund cycling: funds received and retransferred within 24 hours, particularly to third-party accounts or crypto wallets.
• Profile-activity mismatch: a customer declaring low-turnover retail activity generating multi-million-pound flows.
• Opaque beneficial ownership: corporate structures involving bearer shares, nominees, or chains of entities without clear economic purpose.
• Shared digital identifiers: same devices, IP addresses, or phone numbers used across multiple distinct accounts — a key indicator of money mule networks.
• Adverse media: negative news matching customer profiles, especially involving financial crime, corruption, or sanctions.

These red flags should be built into your document compliance programme and applied consistently from customer onboarding through ongoing monitoring.

Reporting Obligations and Record-Keeping

UK firms face precise, non-discretionary reporting obligations. The key requirements are:

SAR filing with the NCA: mandatory when a firm knows, suspects, or has reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing. There is no minimum amount threshold — the suspicion itself triggers the obligation. SARs must be filed via the NCA's Suspicious Activity Reports Online portal.

Consent SARs (Defence Against Money Laundering — DAML): if a firm identifies a transaction it believes involves criminal property, it must obtain consent from the NCA before proceeding to avoid committing a primary money laundering offence under POCA 2002, Sections 327–329.

Record-keeping: all CDD records, transaction monitoring documentation, and SAR-related material must be retained for a minimum of five years from the end of the business relationship, per MLRs 2017, Regulation 40.

Tipping off prohibition: once a SAR is filed or under consideration, the firm cannot disclose this to the customer or third parties, under POCA 2002, Section 333A.

For sanctions-related monitoring, our article on OFAC and EU sanctions screening covers the complementary obligations in detail.

Implementing an Effective Monitoring Programme

A robust transaction monitoring programme requires four interconnected components:

1. Governance and accountability Appoint a Money Laundering Reporting Officer (MLRO) with board-level access and clear authority to escalate and file SARs. The MLRO must report annually to the board on AML risks and the effectiveness of controls, per FCA requirements.

2. Risk-based segmentation Apply proportionately higher scrutiny to higher-risk customers. A high-net-worth foreign politically exposed person requires different monitoring parameters than a domestic small business. Document your segmentation rationale — FCA supervisors examine the logic behind your calibration decisions.

3. Calibration and testing Backtest your rules against historical data to measure false positive rates. Over-sensitive rules generate alert fatigue; under-sensitive rules create regulatory exposure. Document all calibration decisions and review rules at least annually, or when criminal typologies change.

4. Technology integration Automated transaction monitoring tools — such as those integrated into CheckFile's KYC solutions — combine rule-based alerts, behavioural scoring, and sanctions screening into a single auditable workflow. This reduces manual burden and strengthens the audit trail regulators expect during supervisory reviews.

For a broader comparison of automated and manual approaches, see our guide on AI vs manual document verification.

Technology Outlook: AI, Real-Time Monitoring and 2026 Reforms

The FCA's 2025 Financial Crime Guide update emphasises that firms should move beyond static rule-based systems to intelligence-driven monitoring using behavioural analytics and explainable AI models (FCA Financial Crime Guide, FCG 3.2).

Real-time monitoring — evaluating each transaction within milliseconds rather than batch-processing overnight — is increasingly the standard for payment institutions and fintechs. It enables intervention before funds become unrecoverable. Leading implementations combine:

• Business rules (velocity, geography, amounts)
• Graph analytics (detecting mule networks and linked entities)
• Anomaly models (deviations from individual customer behavioural baselines)
• Natural language processing (analysis of payment references and ordering party data)

The 2026 FCA consolidation of professional services AML supervision will bring a more data-intensive, financial-services-style approach to sectors such as law and accountancy — firms in these sectors should prepare for higher expectations on monitoring system sophistication and senior management accountability.

Explore how CheckFile automates document verification workflows for regulated financial institutions, integrating KYC/AML checks from onboarding through ongoing monitoring.

Frequently Asked Questions

What is the purpose of transaction monitoring in AML?

Transaction monitoring in AML serves to detect suspicious financial activity — including money laundering, terrorist financing, and sanctions evasion — by comparing customer transactions against expected behaviour, regulatory thresholds, and known criminal typologies. It enables firms to meet their statutory SAR-filing obligations and demonstrate effective controls to regulators.

What is the primary purpose of transaction monitoring in AML compliance?

The primary purpose is to ensure that firms can identify and report suspicious activity in a timely manner, satisfying both the preventive (detecting crime) and reactive (reporting crime) elements of the UK AML regime. Effective monitoring also protects firms from regulatory sanctions, which can include significant fines and reputational damage.

Why is ongoing transaction monitoring important in AML?

Customer risk profiles change over time: a client who poses low risk at onboarding may become high-risk due to changes in business activity, geographic exposure, or media coverage. Ongoing monitoring ensures that risk assessments remain current and that suspicious activity is detected throughout the business relationship, not just at the point of onboarding.

What thresholds trigger AML reporting in the UK?

There is no minimum financial threshold for SAR filing — the suspicion triggers the obligation regardless of amount. However, certain simplified due diligence thresholds exist: for example, low-value anonymous prepaid cards (below £150 in stored value for non-reloadable cards) may qualify for reduced CDD requirements under MLRs 2017, Regulation 37.

How should firms handle false positives in transaction monitoring?

False positives should be investigated, documented, and closed with a clear rationale recorded in the compliance system. Firms should analyse false positive patterns to improve rule calibration. The FCA expects firms to demonstrate that their alert review process is proportionate and risk-based — not a box-ticking exercise.