GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

AML transaction monitoring

Your notes

What this means in plain language

Anti-money-laundering transaction monitoring reviews many transactions over time for patterns that suggest financial crime, after they settle rather than in the payment path. Alerts that survive investigation become suspicious activity reports filed with the authorities.

Anti-money-laundering (AML) transaction monitoring looks across many transactions over time to find behaviour that may indicate money laundering or other financial crime. It is deliberately different from sanctions screening. Screening is a gate in the payment path: it compares each payment against lists and can stop it within seconds. Monitoring is a review after the fact: transactions accumulate in a data store, and detection scenarios run across that history — often overnight — to flag patterns a single payment would never reveal. Because it runs after settlement, monitoring does not usually stop a payment; it produces an alert. A trained investigator then examines the account, the customer's expected behaviour, and the surrounding activity. Most alerts turn out to be explainable and are closed with a documented reason. When suspicion remains, the institution files a suspicious activity report (SAR) with the national financial intelligence unit. The report, not a block, is the output of the control.

Understand the full idea, step by step

Think of two very different security jobs. One is the guard at the door, checking each person against a list before letting them in. The other reviews the night's camera footage the next morning, looking for the pattern no single frame could reveal. Sanctions screening is the guard. Anti-money-laundering transaction monitoring is the review of the footage — and confusing the two is one of the most common mistakes beginners make.

AML transaction monitoringAnti-Money-Laundering

Transaction monitoring reviews many transactions over time for patterns that suggest financial crime. Transactions settle first, accumulate in a data store, and detection scenarios run across that history — commonly as overnight batch jobs, sometimes more frequently. Because the signal lives in the pattern — the sequence, the velocity, the relationships between accounts — monitoring works on behaviour over time, not on a single message in flight.

Two controls, opposite ends of the clock
Sanctions screeningAML transaction monitoring
When it runsBefore execution — the payment is in flightAfter settlement — across accumulated history
Question it answersIs a party to this one payment on a list?Does this account's behaviour over weeks look like crime?
Unit it examinesA single messageA pattern across many transactions
What it producesA hold or a block on the paymentAn alert for a human to investigate

If monitoring spots laundering, why does it not just stop the payment like screening does?

Because by the time the pattern is visible, the individual payments have already gone. Screening can hold one payment because it judges that payment before it leaves. Monitoring judges a sequence, which only exists once the payments have settled and accumulated. So its output is not a block but an alert — a question raised for an investigator, not a verdict passed on a transaction. Some monitoring now runs closer to real time, and the boundary with fraud detection can blur, but the after-the-fact, pattern-level character is what defines the control.

What the scenarios look for

Detection scenarios encode patterns associated with money laundering, and they work by testing behaviour against expectation. One family compares activity to the customer's known profile — a personal account suddenly moving sums far beyond its declared income. Another looks at the shape of flows — funds arriving and leaving almost at once, or many small inbound amounts consolidated and moved onward. Others examine networks — accounts transacting in tight circles, or funds routed through several parties with no apparent economic purpose. Increasingly, statistical models supplement fixed rules, scoring how anomalous an account looks rather than testing one threshold.

From alert to outcome

  1. VALIDATION

    A scenario fires against the settled history and creates an alert; the account and its activity enter a case.

  2. VALIDATION

    Maya gathers the evidence: the transaction history, the customer's expected profile from KYC records, the counterparties, and any adverse media or prior alerts.

  3. VALIDATION

    She decides whether the behaviour has a legitimate explanation. Most alerts do — they are closed with a documented rationale.

  4. NOTIFICATION

    Where suspicion remains and cannot be explained away, the case is escalated toward a suspicious activity report; either way, the decision and its reasoning are recorded for later review.

COMMON CONFUSION

An alert means the bank has caught a launderer.

An alert is a question, not a finding. Many of these patterns have entirely legitimate explanations — a business with genuinely fast turnover, a one-off large sale — which is exactly why a human investigates before anything is reported. The control is working when it directs limited investigative attention to where risk is most concentrated, not when it produces the most alerts.

STRICTLY SPEAKING

Strictly speaking, which scenarios a bank runs, at what thresholds, and how often, are set by its own documented risk assessment — the relevant typologies differ by customer base, product, and geography, and an unexplained scenario setting is treated as a weakness in itself. Confirmed-suspicion outcomes and false-positive rates then feed back into which scenarios run and how they are tuned. The parameters are policy choices to point at, not fixed numbers to quote.

FOR NOW, REMEMBER

  • Screening is a pre-execution gate on one payment; monitoring reviews settled activity over time for patterns.
  • Monitoring does not usually stop a payment, because the pattern is only visible once the payments have gone — its output is an alert, not a block.
  • Scenarios test behaviour against expectation: the customer's profile, the shape of flows, and the network of counterparties.
  • An alert is a question a human must investigate; most have legitimate explanations, and every decision is documented.

TRY IT YOURSELF

A customer's account shows funds arriving and leaving within minutes, repeatedly, over three weeks. Which control is designed to surface this, and what does surfacing it produce?

Real-time sanctions screening, which would have blocked each of these payments as it passed.

Not this one — Screening checks parties on a single payment against lists; it does not judge a pattern across weeks, and none of these payments was individually a list match.

Transaction monitoring, which detects the pattern after settlement and raises an alert for an investigator — not an automatic block.

Correct — Correct. The rapid in-and-out shape is a pattern across many settled transactions, exactly what monitoring examines, and its output is a case for Maya to investigate rather than a stopped payment.

Screening, because the pattern is fully visible in each individual message.

Not this one — The pattern is precisely what a single message cannot show — it lives in the sequence and velocity across many payments, which only monitoring assembles.

We named a few shapes monitoring looks for. The next lesson names them properly — structuring, rapid movement, round-tripping — as detection signals, and shows how scenarios surface each one.

KEEP GOING

Three things to remember

  1. 01

    AML (anti-money-laundering) transaction monitoring detects patterns across many transactions after they settle, unlike real-time screening, which stops a single payment at a gate.

  2. 02

    It flags behaviour, not names — activity that is unusual for the customer or consistent with known money-laundering patterns — and produces alerts, not automatic blocks.

  3. 03

    An alert that survives investigation becomes a suspicious activity report (SAR) filed with the authorities; the payment has usually already settled.

Where you would use this

USE CASE 01

Monitoring teams review scenario alerts each day, clearing explainable activity and escalating cases where the behaviour has no legitimate explanation.

USE CASE 02

Investigators assemble the account history, customer profile, and counterparties into a case to decide whether to file a suspicious activity report.

USE CASE 03

Financial-crime risk teams tune scenario thresholds against the institution's risk assessment to balance missed activity against false-positive volume.

Put the idea into a real situation

Illustrative example: a fictional bank, Harbour Union Bank, monitors an account belonging to Kite & Co, a small consultancy whose declared profile is a few large invoices per month. A detection scenario flags the account after it receives 43 inbound transfers of between EUR 2,800.00 and EUR 3,400.00 within eight days, followed by near-total withdrawals. Nothing was stopped in real time — the payments settled. An investigator compares the pattern against the expected profile, finds no matching business rationale, and cannot explain it from the file. The case is escalated and a suspicious activity report (SAR) is filed with the financial intelligence unit within the required deadline. The account behaviour over time, not any single payment, is what the control caught.

Evidence & review

REVIEWED 2026-07-13

AML transaction monitoring as a post-settlement, pattern-level control, contrasted with pre-execution sanctions screening; scenario libraries, thresholds, and run cadence are institution- and jurisdiction-specific.

What this brief simplifies: Describes monitoring as batch-oriented for clarity; real programmes mix batch, intraday, and near-real-time monitoring, use both rules and statistical models, and vary the alert-to-case workflow. No thresholds or timing parameters are stated as fixed numbers.

Sources for this brief3
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Recommendation 20 (suspicious transaction reporting); Recommendation 1 (risk-based approach)

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Market practice

    Wolfsberg Group Payment Transparency StandardsThe Wolfsberg Group · Distinction between real-time screening and post-settlement monitoring

    Industry standards on preserving complete and accurate party information through payment chains, expressed in ISO 20022 terminology. · Checked 2026-07-12

    The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.

  3. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Maya's rapid-movement case and the screening-vs-monitoring comparison

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Fraud & Compliance archive

AML transaction-monitoring typologies

Transaction monitoring watches for named laundering behaviours such as structuring, pass-through movement, round-tripping, and layering. This defensive article explains each pattern and how scenarios and thresholds surface it for review.

READ BRIEF