Rules-Based Transaction Monitoring

Rules-Based Transaction Monitoring

Transaction monitoring is the detective control that reviews completed activity for patterns indicative of money laundering, terrorist financing, or fraud. Rules-based (scenario-based) monitoring is the predominant approach: the institution codes scenarios with parameters and thresholds, and any activity breaching a threshold generates an alert for human review. It is reactive and pattern-focused, complementing the preventive, real-time payment screening covered earlier.

Common rule scenarios

Most programs run a library of scenarios mapped to known typologies:

Key U.S. thresholds the exam tests

Under the Bank Secrecy Act, a Currency Transaction Report (CTR) is required for cash transactions exceeding $10,000 in one business day (aggregated by the same person). Structuring — breaking transactions into amounts under $10,000 to avoid the CTR — is a separate federal crime under 31 U.S.C. §5324, and it is illegal even if the underlying funds are legitimate. A Suspicious Activity Report (SAR) must be filed within 30 calendar days of initial detection of facts that may constitute suspicious activity (up to 60 days if no suspect is identified).

The SAR filing threshold for many institutions is $5,000 in aggregate when a suspect can be identified.

Alerts are not SARs

The single most-tested concept here: a generated alert is not a SAR. The workflow is alert → review/investigate → disposition. Most alerts are false positives and are closed with documented rationale. Only when investigation confirms a reasonable basis to suspect illegal activity does the institution file a SAR. Filing a SAR for every alert (defensive filing) degrades the value of the data to law enforcement; closing alerts without documented rationale is a control failure.

Worked scenario

Monitoring flags a customer who made nine cash deposits of $9,500 across three branches over five business days — totaling $85,500 — with no apparent business reason. This is a textbook structuring pattern. The CAMS workflow: the alert is investigated, the analyst documents the pattern and the absence of a legitimate explanation, the institution files a SAR within 30 days, and critically the institution does not tip off the customer that a SAR was filed (tipping off is prohibited). No single deposit triggered a CTR, which is the point of structuring — monitoring catches the aggregate pattern that the CTR threshold alone misses.

Tuning and governance

Rules degrade over time as customer behavior and typologies evolve. Thresholds set too tightly create unmanageable alert backlogs (a frequent regulatory finding); set too loosely they miss activity. Rule changes require documented governance, and the program must be independently tested. Above-the-line/below-the-line testing (sampling alerts just above and below thresholds) is the standard tuning technique — covered in the next section on model risk.

Continuing-activity SARs and recordkeeping

Filing one SAR is rarely the end. When suspicious activity continues after an initial SAR, U.S. guidance expects institutions to review the relationship periodically — commonly every 90 days — and file a continuing-activity SAR if the conduct persists, capturing the aggregate of the prior period. Institutions must also retain SARs and supporting documentation for five years from the filing date, and must keep CTR records for five years as well. The supporting documentation is treated as part of the SAR and is subject to the same confidentiality and tipping-off protections.

Rules-based versus behavioral approaches

Pure rules-based monitoring has a known weakness: thresholds are static, so sophisticated launderers can transact just under them, and unusual behavior that does not breach any single rule can go undetected. This is why programs increasingly layer behavioral / anomaly-based monitoring and machine learning on top of rules — building a baseline of expected activity per customer and flagging deviations. The rules library still anchors regulatory expectations and explainability, while behavioral models widen coverage.

The exam frames this as complementary, not either/or: rules give defensible, transparent coverage of known typologies, and analytics extend detection to novel patterns, with both governed under model risk management.

Quality and effectiveness

A monitoring program is judged on effectiveness, not alert volume. Regulators examine whether scenarios map to the institution's actual risk profile, whether thresholds are tuned and tested, whether alerts are investigated within reasonable timeframes, and whether SAR decisions are sound and documented. Independent testing and quality assurance close the loop.

Common traps

• Equating an alert with a SAR, or filing a SAR for every alert.
• Closing alerts without documented rationale.
• Ignoring structuring because no individual transaction broke the $10,000 CTR threshold.
• Forgetting continuing-activity SAR reviews after the initial filing.
• Tipping off the customer that activity was reported — a prohibited act.