The reason most transaction monitoring programs fail is because monitoring rules are vague, uncalibrated and undocumented. If a monitoring rule fires 4,000 alerts a month, yet only escalates 2%, the outcome is analyst fatigue and dispositioned noise, not effective financial crime detection. A rule never tuned and updated since the day it was switched on is a liability, not a control.
Writing good detection logic is an art in itself. It sits between the typology (what the criminal is doing), the data (what the institution can actually see) and the operating reality (how many alerts the team can investigate well). Set up an effective logic, and a small rule set captures real activity at a manageable volume. Get it wrong and no amount of extra rules will save the programme. This guide is about getting the craft correct. We will cover the necessary steps in the following sections:
- The Anatomy of a Transaction Monitoring Rule
- The Rule Library: Common Rule Types Used in Practice
- Risk Based Rule Calibration: Why One Threshold Does Not Fit All
- The False Positive vs False Negative Trade Off
- Rule Set Building: Moving from Rules to Scenario Logic
- Common Rule Examples (Banking, Fintech, MSB, Crypto)
- Sandbox Testing Prior to Going Live
- Documenting Rules for Regulators
- Rule Lifecycle: When to Retire, Tune or Replace
- How Sanction Scanner Can Help
How a Transaction Monitoring Rule is Built
Every transaction monitoring rule, no matter how complex it may seem, can be boiled down to the same five components. For any rule in your library, if you can name all five, then the rule is well formed. If you can't, that's the first problem to sort out.
The trigger condition is the behavior the rule is looking for, such as a cash deposit, a wire out, an inbound transfer, a card load. This is the event class that the rule checks. Threshold is the quantitative dividing line between "normal" and "worth a look". An amount, a count, a ratio, a percentage deviation. The threshold is where the majority of rules are won or lost. The time window is the scale on which the rule aggregates a single transaction, a rolling 24 hours, a calendar month, a 90 day baseline. A threshold is a threshold, but it means very different things over a day than a quarter. The scope of the rule is the population on which the rule is to be applied. It includes customer segment, product, channel, geography, risk rating. A rule without a scope is implicitly scoped to “everyone”, which is almost never what you want to do. Finally, the action is what happens when the rule is triggered, such as generating an alert, raising the customer’s risk score, routing to a specific queue, suppressing a duplicate, and escalating immediately.
Take the concrete rule through all the five. Consider, for instance, a retail cash structuring rule. The trigger is a cash deposit. The threshold is 3 or more deposits within the window of $2000 or more and less than $10,000 each, and $15,000 or more in aggregate. Its window is five calendar days long. Emphasis on personal accounts for retail, excluding business accounts and cash intensive merchant categories. The action is to alert the anti money laundering (AML) structuring queue and raise the customer’s risk score by one tier.
You can read the rule as a sentence and get the story: A retail personal customer making multiple cash deposits, individually sub-CTR, that total over a short window where that sort of behavior is unusual for the segment. The $10,000 cap refers to a common avoidance tactic by criminals who try to evade the Currency Transaction Report threshold. And the $2,000 floor eliminates trivial deposits. The aggregate figure gives the pattern substance. It does not cover businesses which normally have large amounts of cash. The whole point of the anatomy is to put every one of those decisions in the open. Every number in that rule is a decision you have to be able to explain.
The Rule Library: Common Rule Types Used in Practice
Most transaction monitoring programs are constructed from a small number of recurring rule archetypes, recombined and recalibrated. Most of the job is knowing the archetypes, and their characteristic logic.
Velocity rules measure the number or volume of transactions in a time window, relative to a fixed threshold or to the customer’s own baseline. A typical one will trigger if inbound transfers in a rolling 24 hour period are 10 or more and the total inbound for that period is at least 5 times the customer’s average daily inbound over the previous 90 days. That’s what the dual condition does, it gives precision. Volume alone is noisy, but volume that is also a sharp break from a customer’s own history is meaningful.
Threshold rules are intended to trigger on a single transaction exceeding a given amount, e.g., a single outbound wire of $50,000 or more on a retail segment account. This is the simplest archetype and the easiest to avoid, so it rarely suffices on its own.
Structuring rules identify multiple transactions purposefully held just below a reporting or review threshold and the worked example from the previous section is the canonical case.
Geographic mismatch rules are triggered when the transaction geography does not match the customer’s expected footprint locations. This means the transaction country is not one of the customer’s expected countries, the amount exceeds the segment floor and there is no travel notice on the account. Importantly, the travel notice exclusion means that the rule does not penalise a customer for the legitimate reason of going on holiday.
Round number rules flag repeated suspiciously round amounts for example, five or more transactions that are exact multiples of 1,000 in a 30 day span. This is a weak signal in isolation, but a useful contributor when combined.
Dormant then active rules apply to an account that has been inactive for a long time, such as 180 days or more without activity, and then suddenly transacts at 10 times its historical average. This is a classic example of a mule and account takeover.
Rapid in-out rules identify funds received and moved on almost immediately. An outbound transfer within 48 hours of an inbound one, where the outbound is at least 80% of the inbound amount and the resting balance returns to near zero. This is the passthrough signature.
Peer deviation rules spot a customer whose activity is significantly different from a statistically similar peer group, rather than from a fixed number. For example, a monthly volume greater than the peer group mean by more than three standard deviations. This is the basis for behavioral, risk based monitoring, because “normal” is defined relative to similar customers, not a single house number.
These archetypes are not mutually exclusive per se. The rule set section below is about stringing together the strongest detection scenarios.
Risk Based Rule Calibration: Why One Threshold Does Not Fit All
The most frequent transaction monitoring calibration error is a single global threshold that fails in both directions at once. Set a $10,000 wire threshold across the whole book and you will drown in alerts on corporate customers for whom $10,000 is a rounding error, while completely missing a retail customer for whom a $9,000 wire is wildly out of character. One number can’t be both.
Effective calibration knows the segment. The methodology is easy to state, and disciplined to apply.
First, segment the population by relevant dimensions that change what “normal” looks like. Customer type (retail, SME, corporate), product (current account, trade finance, prepaid), channel (branch, digital), geography (domestic, cross border corridors), and inherent risk rating from the customer risk assessment.
Second, define a baseline for each segment of the normal range of the behaviors your rules measure, including typical volumes, counts, amounts and velocities. This is empirical, not assumed; it is based on the institution’s own historical data, not intuition, nor published thresholds of a peer.
Third, set thresholds relative to the segment, rather than against a single house number. The same structuring rule could cause a $15,000 cumulative trigger for retail, and a much higher one for a cash-intensive business segment, precisely because the underlying normal is different.
Fourth, tighten by risk, loosen only by proven legitimacy. Higher risk segments and products have tighter thresholds and shorter windows. Segments with a well documented legitimate rationale for the flagged behavior get appropriately wider ones documented, not assumed.
The output is a calibration matrix which maps each rule and segment to its threshold and window. And that matrix is also, not coincidentally, one of the first things an examiner will want to see because it is the concrete manifestation of a risk based approach.
The False Positive vs False Negative Trade Off
Every threshold decision is a position on a single trade off, and the root of most dysfunctional programs is pretending it is not.
Tighten a rule, lower the threshold, shorten the window, widen the scope, and you will catch more true activity but you will also generate more false positives. The cost is operational. Alert volume increases, investigation team quality per case decreases, actual risk is lost in noise, backlog becomes a finding of its own. A program that drowns its analysts is not a safe program. It is an unsafe program that looks busy.
Relax a rule and you reduce false positives but accept more false negatives, that is real activity that never raises an alert. The cost here is regulatory and existential. It’s the cost of undetected laundering, of missed SARs, and the enforcement exposure that comes when an examiner or journalist reconstructs a pattern after the fact that should have been caught by screening.
It’s an unavoidable trade off. It has to be put in deliberately and the decision to put it in has to be a deliberate risk decision, not an accident of whatever threshold someone typed in three years ago. Two framings make the decision honest. One is the the economic framing, in which each false positive has an investigation cost that is somewhat knowable; each false negative has an expected cost of low probability and high severity. The other is the regulatory framing. Regulators do not expect zero false negatives, but they do want the institution to have made a conscious choice about its detection logic, documented the rationale, and made proper tests. The defensible answer to “why is the threshold set at this number?” is never “it was the default.” The strong and defendable answer is, “here is the trade off, here is the data, here is the decision, and here is who approved it.”
Rule Set Building: Moving from Rules to Scenario Logic
Mature programs evolve from single condition rules to multi condition scenarios, as real typologies are seldom defined by one condition.
Think of a likely mule situation. In such cases a single rule may be weak on its own. Combine them and signals turn out to be a dormant but suddenly active account, rapid in out movement in 48 hours, five or more distinct sources of funds in seven days, less than 120 days old. The combination describes a mule account with enough specificity to act on quickly, at a far lower false positive rate than any one of those conditions fired alone.
The way to set the precision of the recall functionality is through effective use of AND versus OR logic. AND chaining logic tightens the data points, yielding higher precision and fewer false positives, but at the increased risk of missing variants that should have been detected. OR chaining logic increases the size of the data pool that the detection mechanism will look into. The practical approach is to use AND to define a tight, high confidence core scenario, coupled with a looser OR based rule as a wider safety net tat feeds a lower priority queue. This approach prevents collapsing both intentions into one muddled rule that does neither job.
Rule Chaining: The triggered output of one rule can serve as the input for another rule. For a first tier rule the customer's risk score is increased and a second tier rule applies more stringent thresholds as the score is now high. The system is adaptive but not opaque, because each step remains individually legible.
Preventing cross-rule duplication is the unglamorous part that determines if the program is even usable. If 5 rules fire on the same customer, same transaction cluster, the analyst should get 1 consolidated case with all 5 signals, not 5 disconnected alerts in 5 queues. Deduplication and correlation are not just nice to have, without them scenario logic just multiplies the noise it was meant to reduce.
Common Rule Examples (Banking, Fintech, MSB, Crypto)
Archetypes are universal, calibration is industry specific. One vertical, one concrete example, to show the difference.
In retail and commercial banking, the workhorse is structuring around cash reporting. Three or more cash deposits within a rolling five days, each between approximately $2,000 and $9,900, summing to $15,000 or more, scoped to the retail segment. The calibration discipline is to peg the ceiling to the local cash reporting threshold the $10,000 CTR level in the U.S. and to exclude cash intensive business merchant categories, or the rule will bury the team in legitimate retail merchant deposits.
In fintech and digital wallets, the typical risk is onboarding stage bust out: Accounts less than 30 days old that receive funds from eight or more separate sources within seven days and push out at least 80% of that inbound to external destinations within 24 hours. The calibration note is that new account windows have to be short and tight because the fintech mule rings exploit exactly the first few weeks before any behavioral baseline exists, so the rule has to lean on velocity and fan in rather than absolute amounts.
Money services business remittance smurfing: The same sender pays out to several different receivers in the same high risk corridor within 30 days, each transaction just below the local identification or reporting threshold. The calibration must be per corridor, as corridor risk and legitimate remittance norms vary enormously, and a single MSB wide threshold is indefensible across both.
The most typical pattern seen in crypto and VASP environments is rapid fiat to crypto layering. An example scenario would be fiat inbound above the segment floor, then within six hours a purchase of crypto equal to at least 70% of it, then within 24 hours a withdrawal to an external wallet, with the counterparty VASP appearing on an elevated risk list. Here the signal is temporal proximity rather than the amount the laundering value is in the speed of the fiat to crypto to external wallet hop so the windows need to be tuned tightly and destination VASPs screened.
In all of these, the message is the same: The same structuring or layering logic demands a different floor, window, and exclusion set in each vertical. Calibration is not wholesale adoption of another institution’s thresholds, it’s accepting another institution’s risk decision.
Sandbox Testing Prior to Going Live
No rule should be allowed to go to production untested against the institution's own history. By pushing an uncalibrated rule directly to the live alert stream, programs return astronomical, say 4,000, alerts each month.
Sometimes the discipline is called sandboxing, simulation or back testing, and the workflow is the same. Think of the candidate rule. Run it retrospectively over a representative period of historical transaction data, enough months to capture seasonality and known cases. Then measure, before any live workload is affected. Things to watch out include the alert volume the rule would generate, and whether that volume is survivable for the team. As well as the false-positive rate; the true positive yield; and the overlap with existing rules, meaning whether it surfaces anything current rules miss or merely re-alerts on previous catches.
A rule that triples the volume of alerts and provides negligible incremental detection over the existing set should not go live as written. It should be either recalibrated or rejected. The program wants exactly a rule that adds small volume while surfacing genuine novel true positives. Simulation turns “this rule feels right” into “this rule was measured before it ever touched a single analyst’s queue,” which is also exactly the evidence an examiner expects to see for any rule change.
Documenting Rules for Regulators
A rule that works but you can’t explain how, is not reliable from a supervisory standpoint. The examiners don’t just ask whether the program detects activity. They ask why each rule is constructed the way it is and the absence of a plausible answer is a finding in itself.
For each rule, the FFIEC BSA/AML examination expectations, and similar regimes worldwide, effectively require the institution to be able to answer a set of fixed questions.
|
Why this threshold? |
What analysis, data, or typology justifies this number rather than a higher or lower one? |
|
Why this segment or scope? |
Why does the rule apply to this population and not to others? What money laundering, fraud, or terrorist-financing typology is it intended to detect? |
|
When was it last reviewed? |
What is the review cadence, when was the most recent review, and what changed? |
|
What is the data quality behind it? |
Are the fields that the rule depends on complete, accurate, and reliably populated? A rule keyed off a field that is blank 30% of the time is not the control it appears to be. |
|
Who approved it, and when? |
What is the governance trail for the rule and each subsequent change? |
The practical artifact is a rule register, each rule, its five component anatomy, its calibration rationale, its segment matrix, its review history, its data quality dependencies, and its approvals. The institutions that keep this up sail through the rule review part of an exam at the same time. Institutions trying to reconstruct it the week before don’t and the act of reconstruction signals that the control was never properly governed.
Rule Lifecycle: When to Retire, Tune or Replace
Rules aren't forever. A rule is a hypothesis about where risk exists. Hypotheses age typologies evolve, products launch, customer bases shift, and criminal behavior adapts specifically to get around the rules it has learned.
Every lifecycle decision should be driven by two triggers. The first is periodic review.
Every rule is reviewed at least annually against current performance metrics: Alert volume, false positive rate, true positive yield and the ongoing relevance of the underlying typology. The review can go one of three ways: Keep as is, tune (adjust threshold, window or scope based on evidence), or retire (typology is dead, product is gone, or rule has been superseded). No escalated alert on a rule in two years does not prove lack of risk. Instead, it is an invitation to ask if the rule is miscalibrated, or indeed stale, and to determine, with documentation, which.
The second is reassessment on triggers. Some events demand an off cycle review, no matter what the calendar says. A new product or payment rail comes along and is outside the scope of every rule that we have until proven otherwise. A new typology emerges from a regulator advisory or the institution’s own SAR patterns. The customer mix or geography changes materially. Or a rule’s alert volume swings significantly in either direction without a clear explanation.
What differentiates a living monitoring program from a fossilized one is the discipline of lifecycles. A fossilized program is a stack of rules no one has questioned, gently falling out of alignment with the risk it was designed to catch, and to find that drift during an enforcement action rather than a scheduled review is the most expensive way to learn it.
How Sanction Scanner Can Help
Transaction monitoring craft is made up of all of these things. Using the correct tools is what enables a normal compliance team to actually practice without a dedicated engineering function.
Sanction Scanner’s Transaction Monitoring is designed so that the rule writing, calibration, testing and documentation are all operations that a compliance analyst can do on their own.
AI assisted rule building that requires no coding skills. Analysts can use a visual rule builder to build the full five component anatomy trigger, threshold, window, scope, action without writing a line of code. AI assistance suggests calibration based on the institution’s own data patterns rather than generic defaults.
Built in risk based segmentation. The rules can be scoped to customer segments, products and geographies and calibrated per segment through the same interface. The calibration matrix is configuration, not a spreadsheet maintained on the side.
Simulation in the sandbox before deployment. Candidate rules are tested against historical data to measure the alert volume, false positive rate, and hit rate before they ever get to a live queue.
Correlation and deduplication across rules. Scenario logic does not multiply noise, it reduces it, with multiple rule hits on the same customer rolling up into a single case.
Audit ready rule register. The register is formed not as a separate documentation project, but as a byproduct of building it, all rules, their rationale, their calibration, and their change history are captured for examination.
The point is not that any one feature is new. And that effective detection logic is a continuous loop write, calibrate, simulate, deploy, monitor, review, retire. The tooling either makes that loop something a compliance team can run weekly, or it doesn’t.
