Products
Use Cases
Customers
Resources
Company
Book a demo
Products
Documents Detect document fraud in any PDF or image file, from anywhere
Transactions Boost any existing transaction monitoring system with AI
Defence in Depth Detect fraud and fincrime throughout the customer lifecycle
RAI-LinkedIn-Logo
How to get started with Resistant Documents Jump right in — get an overview of the basics and get started on building.
Watch now
WhitePaper_TheThreatofSerialFraud
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
The Threat of Serial Fraud
WhitePaper The Threat of Serial Fraud
Read the Whitepaper
Documents
Merchant onboarding Verify KYB documents in under 20s
Loan underwriting Confidently approve more loans with fewer defaults
Tenant screening Check applicant documents for misrepresentation
Claims Escalate fake claims and process real ones instantly
Marketplaces Strengthen seller onboarding in seconds
Transactions
AML Catch more financial crime with less
APP fraud Protect scam victims and spot fraudster accounts
image-graph-placeholder
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
Webinar
image-graph-placeholder
Watch on demand
Payoneer High-volume merchant onboarding automation
Habito Confident decisioning in online mortgage brokering
Finom Cross-border AML transaction monitoring
Verto Pan-African merchant onboarding
LYNK Capital Commercial real estate loan fraud prevention
Planet42 Rent-to-buy car subscription loans automation
Close Brothers 22x ROI in Motor Finance fraud prevention
image-graph-placeholder
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
usecase-tax
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
Webinar
image-graph-placeholder
Watch on demand
Resources
Content hub
White papers
Webinars
Event insights
ROI calculator
Support
Trust center
Documents API
image-graph-placeholder
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
Webinar
Webinar on Marketplace Fraud
Join for free
About us
Blog
Threat intel
Industry insights
Partners
Careers
Press releases
image-graph-placeholder
The Threat of Serial Fraud Read our whitepaper about danger of Serial Fraud
Watch now
Webinar
Webinar on Marketplace fraud
Join for free
Blog
Transaction monitoring: Ultimate guide
23 min read

Transaction monitoring: Ultimate guide

Published 22 May 2026Updated 22 May 2026
What is transaction monitoring?
Table of contents
Author
Blog post author
David Gregory Resistant AI Content Strategy Manager
Subscribe to our newsletter

In 2026, recent news stories have transaction monitoring gaffes costing legacy institutions millions.

Australian Fintech giant Airwallex came under regulatory investigation in January for gaps in its AML and transaction monitoring controls.

Monzo (£21M fine) and Barclays (£42 million fine) joined several other institutions that saw a six time increase in penalties from European regulators after 2025 was all said and done.

Singapore also saw an increase in fines, a 579% increase to be exact, and a NZ bank just got a $6.73m fine last month (April 2026).

But regulators aren’t just penalizing limited AML frameworks. Recent fines (especially in the UK and Europe) show regulators are more focused on ineffective transaction monitoring and controls that don’t work in practice:

  • Outdated/static risk models.
  • Scaling without control maturity.
  • Missing obvious red flags.

Some firms are still getting the basics wrong and paying the price. Meanwhile, they’re less prepared for emerging and maturing threats:

Authorized push payment fraud continues to exploit legitimate transactions.

Money mule networks are becoming more organized and easier to scale as accounts are bought and sold, turning verified customers into ready-made fraud infrastructure.

This is why transaction monitoring has become one of the most critical controls in financial crime prevention. It is the layer that observes behavior, connects activity over time, and identifies risk as it unfolds.

In this guide, we will break down how transaction monitoring works, where traditional approaches fall short, and what modern systems need to detect fraud in an environment defined by speed, scale, and increasingly sophisticated attacks.

Let’s get started.

What is transaction monitoring?

 

Transaction monitoring: The continuous analysis of financial transactions to detect unusual and anomalous activity that may be indicative of fraud and money laundering.

 

In practice, this means monitoring activity across real financial workflows:

  • Payments between individuals or businesses.
  • Account-to-account transfers.
  • Cash withdrawals.
  • Transactions within marketplaces or platforms.

Any movement of money can be legitimate, but it can also be part of a broader pattern that does not add up.

Effective transaction monitoring is typically done via a transaction monitoring solution.

Most of these tools focus on pattern detection and behavioral analysis. It looks at how often money moves, where it goes, who is involved, and whether that activity aligns with what is expected for that account. It looks at this movement as part of a flow of activity that only makes sense when viewed in context.

And of course, the main purpose of all of this is to prevent transaction fraud.

Why is transaction monitoring important?

Transaction monitoring is the essential layer of defense against financial crimes such as money laundering and fraud. It prevents institutions from being abused by bad actors and violating legislation, preserving customer experience and avoiding hefty fines.

Money laundering

Money laundering disguises the origin, ownership, movement, or destination of illicit funds so they appear legitimate.

Money laundering real world example:

A business bank onboarded a new small-business customer using what appeared to be valid business registration documents and a legitimate operating account.

  1. The account begins operating normally. It receives modest customer payments, pays routine suppliers, and builds transaction history over several weeks. Nothing stands out during onboarding or early account activity.

  2. Once trust is established, the business account rapidly scales. It begins receiving a high volume of incoming payments from customers for goods or services priced just below common fraud thresholds. Within minutes of each settlement or credit, funds are transferred out to multiple external IBANs.

  3. The crime is detected when transaction monitoring flags a combination of signals. unusual payment velocity, immediate fund dispersion, and shared recipient accounts across multiple business profiles. Individually, each transaction looked valid. Together, they reveal a coordinated fraud operation using pre-verified business accounts to extract and move funds.

Countering the financing of terrorism (CFT)

Countering the financing of terrorism (CFT) refers to detecting and preventing the movement of funds, goods, or financial services that may be used to support terrorist individuals, organizations, or activities.

CFT real-world example:

A retail bank opens a personal account for a customer using a valid ID, proof of address, and a low-risk customer profile. The customer appears to be an ordinary individual using the account for salary deposits, rent, utilities, and everyday spending.

  1. The customer begins making small, regular card payments and bank transfers to nonprofit organizations, media outlets, and online platforms operating in or near conflict-affected regions. None of the individual payments is large, and the descriptions appear charitable or personal.

  2. The pattern changes when the customer starts sending funds to several newly added beneficiaries with no clear personal or commercial connection. Some payments are split into small amounts, routed through money transfer services, or sent shortly after the customer receives cash deposits from unrelated individuals.

  3. The activity is detected when transaction monitoring flags a combination of signals. Repeated small-value payments to high-risk geographies, use of charitable or humanitarian descriptions, cash deposits from unrelated third parties, and beneficiary links to adverse media or sanctions-screening alerts. Individually, the payments could look like ordinary donations or family support. Together, they suggest the account may be used to collect and move funds for terrorist financing.

The primary use of transaction monitoring is to prevent payment fraud: the use of deceptive or unauthorized transactions to illegally obtain money from a person, business, or financial institution.

Types of transaction fraud

Transaction fraud is a range of behaviors that all lead to the same outcome: money being moved under false or deceptive circumstances.

The differences lie in who initiates the transaction, how access is gained, and where the deception occurs. Here are the 8 most common types of transaction fraud:

Authorized push payment fraud (APP)

Authorized push payment fraud happens when a user is manipulated into sending money themselves. The transaction is fully authenticated, initiated by the real account holder, and often follows normal patterns.

Real world example: A victim is manipulated into sending money to a fraudster under a convincing pretext, whether it is a fake investment opportunity, a romantic relationship in a pig butchering scam, or a classic “urgent payment” request dressed up in modern language.

Payments that once took days to clear are now executed instantly. Funds are sent, split, and moved across accounts within minutes, often through mule networks or into crypto, making recovery significantly harder.

Account takeover (ATO)

Account takeover occurs when a fraudster gains control of a legitimate account via stolen credentials, phishing, or malware, and uses it to initiate transactions.

Real world example: In February 2026, Cyfirma exposed a Telegram phishing operation aimed at social engineering user credentials to abuse Telegram’s native authentication workflow.

Money mules

Money mule activity involves real accounts being used to receive, move, and cash out stolen funds on behalf of a fraud operation. These accounts are controlled either by recruited individuals, compromised users, or purchased through account reselling markets.

Their role is to sit between the victim and the final cash-out point. These same networks are also widely used in money laundering and terrorist financing

Real world example: A victim sends €8,000 via SEPA Instant to a mule account controlled by a fraud network, after which the funds are rapidly split, routed across multiple IBANs, and funneled into crypto or prepaid cash-out channels.

Transaction laundering

Transaction laundering occurs when a merchant uses a legitimate payment account to process transactions for goods or services that are different from what was approved.

Real world example: A merchant onboarded as an online clothing store uses its payment gateway to process payments for illegal gambling or unlicensed pharmaceuticals through a hidden website. To the payment processor and acquiring bank, the transactions appear to be normal retail purchases, but the underlying activity is entirely different.

Account reselling and pre-verified fraud infrastructure

Account reselling involves the sale of verified accounts to third parties, often through online marketplaces or private channels. These accounts may belong to banks, fintech platforms, or marketplaces, and are typically sold in bulk.

Many of these accounts are created using fraudulent or synthetic documents during onboarding, then aged to appear trustworthy. Once sold, they become ready-made infrastructure for fraud.

Real world example: A fraudster buys an account from a telegram channel, completing the transfer/takeover, then uses it to commit transaction fraud.

Which types of transaction fraud are hardest to detect?

The hardest transaction fraud to detect is Account reselling. These are fully verified accounts, often created using real identities, stolen credentials, or high-quality synthetic data, then sold to third parties.

By the time the fraudster gets access, there is nothing obviously wrong. The identity has passed checks. The account has history. The credentials are valid. They often mimic normal financial behavior, sending small payments, interacting with known transaction types, and avoiding sudden spikes in activity.

From a system perspective, everything looks consistent. The signals that typically indicate fraud simply are not there.

In account takeover, there are often signs of unauthorized access. In APP fraud, the transaction itself may be unusual for the user. In mule activity, patterns emerge across accounts.

With resold accounts, the fraud starts from a position of trust and unfolds within expected behavior.

Why is payment fraud on the rise in 2026

Why is payment fraud and associated money laundering increasing in the first place?

“We are seeing scams operate with speed, sophistication, and scale.”
Kathy headshot_round
Kathy Gormley Head of Transactions Product

 

The answer starts with how payments have changed. Payments are now faster, more frequent, and more accessible than ever. Instant payment rails, digital wallets, and embedded finance have made it possible to move money in seconds.

That same speed compresses the decision window to milliseconds. Real-time fraud and mule controls must assess payments before acceptance, while historic transaction monitoring identifies suspicious behavior after transactions have already been processed.

AML and fraud have traditionally run on separate infrastructure, with AML more batch-based and fraud more real-time, but the two are increasingly converging around real-time decisioning and shared data layers.

At the same time, fraud itself has evolved. It is no longer a series of isolated attacks. It is organized, repeatable, and built to scale. Fraudsters do not just exploit individual victims.

They build infrastructure:

  • Resold and pre-verified accounts provide immediate access.
  • Mule networks move money across accounts.
  • Coordinated activity spreads risk across dozens or hundreds of transactions and accounts instead of one.

Technology has also lowered the barrier to entry. AI tools can automate phishing, generate synthetic identities, or script transaction flows. This allows fraudsters to test, adapt, and refine their tactics faster than traditional controls can respond.

It’s also made it easier to gain access. Fraud has always required access to the system, but now it's much easier to attain that access to an account and get inside.

In the past, fraudsters had to commit document fraud, steal identities, or coerce individuals into acting as money mules. Each created risk of being caught and requires unique skillsets.

Now, verified accounts are bought and sold through online marketplaces and private channels. Instead of building access from scratch, fraudsters can purchase accounts that are already onboarded, aged, and trusted. The sellers even have their lives made easier via AI-generated documents (to bypass KYC onboarding).

That is why fraud is rising. Everything is digital (banking, investing, shopping, etc) and everything is happening in real time. Money moves more quickly and AI creates unique opportunities for fraudsters. Systems are easier to break into, because access to them has become commoditized. And once that access is in place, the transaction layer becomes the only place where intent can be challenged.

Transaction monitoring compliance

Transaction monitoring is not governed by a single standalone law. Instead, it is required as part of broader anti-money laundering (AML) and counter-terrorist financing (CTF) regulations.

Across jurisdictions, the expectation is consistent: institutions must monitor transactions on an ongoing basis, detect suspicious activity, and report it to the relevant authorities, but fines, parameters, and definitions differ geographically.

Here’s a list of the most common laws covering AML transaction monitoring across the globe:

United States

In the United States, transaction monitoring is mandated under the Bank Secrecy Act (BSA) and expanded through the USA PATRIOT Act.

Financial institutions must:

  • Implement AML programs
  • Include transaction monitoring capable of detecting suspicious activity.
  • Suspicious Activity Reports (SARs) must be filed with the Financial Crimes Enforcement Network (FinCEN) when identified.

Regulators such as the OCC, Federal Reserve, and FDIC enforce compliance, often focusing on the effectiveness of monitoring systems during audits and investigations.

United Kingdom

In the UK, transaction monitoring requirements are primarily defined under the Money Laundering Regulations 2017.

Firms are required to:

  • Conduct ongoing monitoring of customer activity
  • Ensuring that transactions align with the customer’s known profile and risk level.
  • Submit Suspicious Activity Reports (SARs) to the National Crime Agency when suspicious activity is identified.

The Financial Conduct Authority (FCA) enforces these requirements and regularly penalizes firms for ineffective monitoring systems.

European Union

In the EU, transaction monitoring obligations are set out across successive Anti-Money Laundering Directives (AMLD 4, 5, and 6), with a new AML Regulation (AMLR) on the way.

These frameworks are transposed into National Law by each EU member and require institutions to:

  • Apply a risk-based approach to ongoing monitoring
  • Have enhanced scrutiny for high-risk customers and transactions.
  • Continuously monitor proportionate to the level of risk.

Oversight is currently handled by national regulators, with a centralized EU authority (AMLA) being introduced to strengthen enforcement.

Canada

In Canada, transaction monitoring requirements are defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

Institutions must:

  • Monitor transactions on an ongoing basis.
  • Report suspicious activity to FINTRAC.

This includes identifying unusual patterns, large or complex transactions, and activity that does not align with the customer’s profile. The emphasis is on timely detection and reporting, supported by documented monitoring processes.

Australia

In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 sets out transaction monitoring obligations.

AUSTRAC requires:

  • Reporting entities to implement transaction monitoring programs.
  • Detect suspicious behavior and support the submission of Suspicious Matter Reports (SMRs).

Institutions must “monitor its customers in relation to the provision of its designated services to appropriately identify, assess, manage and mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing designated services.”

Brazil

In Brazil, transaction monitoring obligations are established under Law No. 9,613 and further regulated by the Central Bank of Brazil and the Financial Intelligence Unit (COAF).

These frameworks require institutions to:

  • Apply a risk-based approach to transaction monitoring.
  • Continuously monitor customer activity to detect suspicious transactions.
  • Identify and report suspicious activity to COAF through Suspicious Transaction Reports (STRs).
  • Maintain controls proportionate to the institution’s risk exposure and customer profile.

Oversight is carried out by sector-specific regulators, with the Central Bank of Brazil playing a key role in supervising financial institutions and enforcing compliance with AML requirements.

International

At the international level, the Financial Action Task Force (FATF) sets the standard for transaction monitoring through its AML and CTF recommendations.

These frameworks require institutions to:

  • Conduct ongoing monitoring of business relationships.
  • Scrutinize transactions to ensure they are consistent with the customer’s profile and risk level.
  • Identify and report suspicious activity through Suspicious Transaction Reports (STRs).
  • Apply a risk-based approach to monitoring, including enhanced measures for higher-risk scenarios.

These standards are adopted and implemented by jurisdictions worldwide, forming the foundation of national transaction monitoring requirements and shaping how regulators enforce compliance across different markets.

What are transaction monitoring red flags?

Now that we understand what transaction monitoring is, its importance, and who it detects, let’s get into the details of a normal transaction vs. one that might be displaying transaction monitoring red flags.

Transaction monitoring red flags are indicators that a transaction, or a pattern of transactions, does not align with expected behavior. On their own, they are not proof of wrongdoing. But when combined or repeated, they signal that something deeper is wrong.

“It's important to look at the data and the behavior through different lenses: the ensemble approach.”
Kathy headshot_round
Kathy Gormley Head of Transactions Product

 

Behavioral anomalies

Behavioral anomalies appear when an account is behaving differently to others in the same segment/industry. This is one of the strongest early signals because it focuses on change rather than absolute values.

  • A retail customer account that normally sends €50–€200 payments suddenly initiates a €7,500 instant transfer to a new beneficiary.
  • A dormant account becomes active and sends 8 outbound transfers within 30 minutes.
  • A marketplace seller account that usually only receives payouts starts sending funds to multiple external IBANs.

Network inconsistencies

Network inconsistencies appear when relationships between accounts and recipients start to repeat or concentrate in unusual ways. This is where fraud shifts from individual activity to infrastructure.

  • 15 newly onboarded accounts all send funds to the same Revolut IBAN within 24 hours.
  • Multiple customer accounts funnel money into a single account that immediately off-ramps to a crypto exchange.
  • The same recipient account appears across unrelated users flagged in separate fraud investigations.

Geographic irregularities

Geographic irregularities occur when transaction behavior does not match expected location patterns for the account.

  • A user initiates a payment from Prague, followed by another from Southeast Asia within minutes.
  • A domestic-only SME account suddenly sends multiple payments to IBANs in high-risk jurisdictions.
  • A user profile registered in one country consistently routes funds through accounts in entirely different regions.

Structuring patterns

Structuring involves deliberately breaking transactions into smaller amounts to avoid detection thresholds. It is a classic technique, but still widely used.

  • A €50,000 transfer is split into five €9,900 payments to avoid €10,000 reporting triggers.
  • Multiple payments just below internal alert thresholds are sent within a short time window.
  • Funds are distributed across several recipient accounts in identical sub-threshold amounts.

Repetition patterns

Repetition patterns signal that the same behavior is being executed across accounts or over time. This is often the first sign of coordinatedfraud.

  • Multiple accounts receive €1,000 and withdraw €980 within minutes, leaving small balances behind.
  • Identical transaction sequences repeat across different users with the same timing and amounts.
  • A refund or payout mechanism is triggered repeatedly using the same transaction structure.

Why traditional (rules-based) transaction monitoring fails

Traditional transaction monitoring systems are built on rules. These rules define what “suspicious” looks like in advance, using thresholds, predefined scenarios, and known financial crime typologies.

For example, flagging transactions over a certain amount, rapid transfers to new beneficiaries, or activity that matches a known fraud pattern.

The problem is that these systems are inherently reactive. Rules are written after fraud or financial crime has already been observed. By the time a new typology is understood and encoded, criminals have often moved on to a variation that no longer triggers the same conditions.

This leads directly to another issue: false positives.

Because rules are rigid, they tend to flag large volumes of legitimate activity that happen to meet predefined criteria. High-value transactions, unusual but valid customer behavior, or edge cases all get pulled into the same alert pool.

In many environments, the vast majority of alerts require no action, slowing down analysts and making it harder to focus on real threats.

At the same time, rules struggle to detect what actually matters. They evaluate transactions in isolation or against simple patterns, but miss the broader context. Subtle behavioral shifts, coordinated activity across accounts, or emerging fraud tactics often fall outside predefined scenarios. The system sees each event, but not the pattern.

The underlying issue: Risk in modern payment systems is not a checklist. It is a chain of signals that only makes sense when connected over time. Static rules can catch what they are designed to catch. They cannot adapt to what they have not been told to look for.

The role of AI in transaction monitoring

AI improves transaction monitoring because it is better at finding patterns in large, messy, fast-moving data.

Traditional transaction monitoring systems are built around predefined rules, thresholds, and scenarios. They are useful for detecting known risks, but they are limited by what the organization has already thought to look for. Financial crime does not work that neatly. Criminal behavior changes, mule networks adapt, and fraud can appear normal when each transaction is viewed on its own.

AI-based transaction monitoring changes the detection model. Instead of relying only on fixed rules, machine learning can analyze large volumes of transaction data and identify patterns across behavior, timing, counterparties, locations, amounts, and account relationships. This helps financial institutions detect known risks with greater speed and accuracy, while also surfacing novel behaviors that were not explicitly written into a rule.

“Machine learning enables regulated entities to detect known risks with greater speed and accuracy, while also increasing their detection of novel, previously unknown criminal activities, the ‘unknown unknowns’."
Kathy headshot_round
Kathy Gormley Head of Transactions Product

 

That matters because many modern fraud and money laundering patterns are not obvious at the transaction level. A high-value payment, a new recipient, or an unusual transfer time may all be legitimate in isolation. The risk becomes clearer when those signals are connected across the customer’s behavior, peer groups, network relationships, and broader transaction history.

This is where an ensemble approach is especially useful. Rather than depending on one model to make the full decision, an ensemble combines multiple smaller models that each look at different parts of the problem. One model may focus on transaction size. Another may look at geography. Another may analyze the actors involved. Another may examine behavioral change or network connections. The combined result creates a more informed view of risk than any single rule or model could provide on its own.

AI also helps reduce false positives. Rules often alert on isolated conditions, even when the wider context suggests the activity is normal. Machine learning can evaluate whether several signals actually add up to suspicious behavior, helping teams prioritize the alerts that matter instead of flooding analysts with noise.

This does not mean rules disappear. Rules still provide a baseline, support regulatory expectations, and help organizations define clear risk controls. Human oversight also remains essential. But rules alone are not enough for modern transaction monitoring. Effective systems need to combine rules, machine learning, behavioral analysis, graph analytics, and human expertise so they can detect both known typologies and emerging threats.

Transaction monitoring systems

When institutions talk about “Transaction monitoring” they’re referring to their monitoring capabilities and case management together. This involves a combination of technologies that work together to ingest data, evaluate risk, and make decisions in real time or near real time.

Every transaction triggers a series of checks, enrichments, and scoring mechanisms that determine whether the activity should be allowed, flagged, or escalated. These systems are designed to operate continuously, updating their understanding of risk as new data comes in.

The key technologies that enable this include:

  • Transaction ingestion and data pipelines. Often referred to as the orchestration layer, systems that capture transaction events as they occur and route them into monitoring engines. This includes payment data, account activity, device signals, and external data sources.

  • Detection engine. An umbrella term that contains:

    • Feature engineering and data enrichment. The process of transforming raw transaction and customer data into usable signals, such as transaction velocity, counterparty risk, geolocation patterns, and behavioral history. This typically happens as part of modelling or rule design and acts as a prerequisite for many machine learning models and some rules-based controls. While it supports the detection layer, feature engineering is often performed offline when building dedicated models rather than during live decisioning itself.

    • Rules engines. Systems that apply predefined thresholds and scenarios to flag known risk patterns, such as high-value transfers or rapid movement of funds.

    • Machine learning models. Models that detect patterns, anomalies, and relationships across transactions, enabling detection of previously unseen fraud behaviors.

      • Graph and network analysis systems. Embedded within the ML models, Technologies that map relationships between accounts, devices, and transactions to identify shared infrastructure, mule networks, and coordinated activity.

  • Decisioning and orchestration layers. Systems that determine what happens next, whether to allow, block, flag, or escalate a transaction based on risk signals.

  • Case management and alerting systems. Tools that surface alerts to analysts, support investigations, and track outcomes for feedback into the system.

  • Transaction monitoring software. The layer that brings all of these components together into a single system. It integrates data pipelines, scoring engines, models, and decisioning logic to provide a unified view of risk. By combining multiple signals and continuously updating them as new transactions occur, it enables institutions to analyze activity reliably and act on it in real time.

Transaction monitoring best practices

Effective transaction monitoring is not built on a single method or signal. It requires combining multiple perspectives on the same activity to understand whether a transaction makes sense in context.

The following best practices are outlined by our transaction monitoring experts, combining years of experience on how leading institutions approach transaction monitoring today, from how they structure detection systems to how they operationalize risk at scale:

  1. Start with your risks, not your existing rules. Build your detection strategy around your institution’s specific risks and behaviors. Do not limit yourself to rules you have used before; there may be better ways to segment risks and detect suspicious activity.

  2. Avoid “no SAR left behind” thinking. A strong detection strategy is not about trying to capture every possible scenario that has ever resulted in a SAR. It should be risk-based, defensible, and grounded in your organization’s unique exposure.

  3. Treat detection design as an ongoing process. Rules and models should be reviewed, tested, and adapted regularly as risks, products, customer behavior, and criminal tactics change.

  4. Use a team-based approach. Good detection design requires input from subject matter experts, second-line risk teams, operations, and system owners. Risk relevance, operational impact, alert quality, and technical feasibility all need to be considered.

  5. Match the detection method to the purpose. Some rules or models may be intentionally broad and exploratory, designed to find unusual events or anomalies. Others may be highly targeted toward known risks or specific behaviors. Both can be valid if their purpose is clear.

  6. Document decisions, limitations, and constraints. Clearly record why each rule or model exists, what risk it addresses, how it is expected to perform, and any known limitations or operational constraints.

  7. Your data. Data availability and quality is critical to any discussion around TM detection. No perfect data set exists, but it's important to understand what you have (and don't have) and its impact on detection.

Conclusion

Transaction monitoring is behavioral, networked, and adaptive. It spans multiple accounts, actors, and systems, identifying risk that only becomes visible when those steps are connected.

This is why static monitoring is no longer enough. Systems built on predefined rules and known patterns can only detect what they have already seen. They struggle with coordinated activity, evolving tactics, and financial crime that operates within expected behavior.

Effective transaction monitoring needs an upgrade to reflect the reality of modern crime.

Resistant Transactions helps fraud and compliance teams catch more fraud and money laundering behaviors with less (all without replacing your existing tech stack).

Transition from ineffective static rules to ensembles of specialised behavioural and anomaly detection models. Detect complex financial crime patterns with greater precision, reduce false positives, and adapt to evolving criminal behaviour that rigid threshold-based systems miss.

It applies adaptive, AI-driven monitoring to detect patterns across transactions, accounts, and networks in real time.

Scroll down to book a demo.

module Frequently asked questions Hungry for more transaction monitoring content? Here are some of the most frequently asked transaction monitoring questions from around the web.
What is transaction monitoring in AML?
Transaction monitoring in AML (anti-money laundering) is the ongoing surveillance of customer transactions to detect suspicious activity that may indicate money laundering or other financial crime.
How does transaction monitoring detect fraud?
Transaction monitoring detects fraud by analyzing patterns in how money moves either by using rules, or AI to identify unusual behavior, detect anomalies, and connect activity across accounts and networks.
What are the biggest challenges in transaction monitoring?

The main challenges are:

  • High false positives, where large volumes of legitimate behaviors are flagged.
  • Fragmented data across systems, limiting visibility.
  • Manual review burden, which slows down investigations and increases operational cost.
Can AI reduce false positives in transaction monitoring?
Yes. AI uses behavioral baselines, pattern recognition, and multiple signals to determine whether activity actually represents risk. This leads to more precise alerts and allows analysts to focus on cases that matter.
Is transaction monitoring real-time?

It depends on the system.

Traditional monitoring often runs in batches, reviewing transactions after they occur. Modern systems are increasingly real-time or near real-time, analyzing transactions as they happen.

This shift is critical because many payment methods are now instant, leaving little time to intervene after the fact.
What’s the difference between rule-based and AI transaction monitoring?
Rule-based monitoring uses predefined logic to detect known patterns. AI-based monitoring analyzes behavior, identifies anomalies, and adapts to new patterns.
Can transaction monitoring detect organized fraud networks?
Yes, detecting organized fraud requires connecting signals across multiple accounts, identifying shared infrastructure, and analyzing how funds move through networks, all capabilities present in AI-powered transaction monitoring software.
Who does transaction monitoring detect?

Transaction monitoring detects suspicious transaction behavior across different types of fraud actors, including:

  • Third-party fraudsters. External criminals who steal, buy, or manipulate access to accounts. They often use compromised accounts, account takeover, social engineering, or fully verified accounts bought from others.
  • Money mules. People or accounts used to receive, move, split, or cash out stolen funds. Some mules know what they are doing. Others are tricked through fake jobs, romance scams, or other recruitment tactics.
  • First-party fraudsters. Legitimate account holders who abuse their own accounts for financial gain. This can include repeated refund abuse, chargebacks, claims of non-delivery, or other patterns that only become visible over time.
  • Synthetic or robotic mules. Fake, automated, or bulk-controlled accounts used to move money at scale. These accounts can mimic normal user behavior while acting as programmable financial relays.
  • Organized fraud networks. Coordinated groups where different actors handle different parts of the fraud process, such as account creation, social engineering, mule management, fund movement, and cash-out.
  • Cash-out operators. Actors who help convert stolen or fraud-linked funds into usable value through withdrawals, crypto exchanges, prepaid cards, merchant abuse, or other off-ramps.

Transaction monitoring does not just detect “bad people.” It detects the behavioral patterns that reveal how money is being moved, layered, and extracted across accounts.
What’s the difference between SAR and CTR?
A suspicious activity report (SAR) is filed when activity appears suspicious, while a currency transaction report (CTR) is filed when a cash transaction exceeds the reporting threshold, regardless of whether it looks suspicious.
What is the difference between KYC and transaction monitoring? Know your customer (KYC)
Know your customer (KYC) verifies who a customer is at onboarding, while transaction monitoring watches what the customer does after onboarding.
What is CIP vs. CDD vs. EDD?
Customer identification program (CIP) verifies identity, customer due diligence (CDD) assesses customer risk and expected activity, and enhanced due diligence (EDD) applies deeper checks to higher-risk customers.
What are the 7 types of risk in banking?
The common seven are credit risk, market risk, liquidity risk, operational risk, compliance risk, reputational risk, and strategic risk.
What is CTR and CCR?
A currency transaction report (CTR) reports large cash transactions, while customer risk rating (CRR), often confused with CCR, scores a customer’s financial crime risk level.

 

Any document. Anywhere

150,000,000+ docs verified, language agnostic, and compliance friendly
Book a demo