Transaction Monitoring: Building Effective Alert Frameworks

Anqa Compliance — Free AML Training Series | FATF R.16 & R.20 | Certificate on Completion

Page 1 of 7

Course Overview

What You Will Learn

  • FATF Recommendation 20 — the reasonable suspicion standard for STR filing
  • Behavioural, transactional, and geographic red flags for suspicious transaction detection
  • Rule-based vs behaviour-based TM systems — design principles and trade-offs
  • The five-step alert triage process: from automated alert to MLRO decision
  • The revised FATF Recommendation 16 (Travel Rule, June 2025) — key changes
  • Cash Transaction Reports (CTRs) vs STRs — key distinctions
  • Emerging market TM challenges: high cash volumes, mobile money, data quality

Why Transaction Monitoring Is a Core AML Pillar

Customer due diligence establishes who you are dealing with at onboarding. Transaction monitoring is how you detect when that customer's behaviour changes or proves inconsistent with what was expected. FATF Recommendation 20 makes suspicious transaction reporting mandatory — but you can only report what your system detects.

Revised R.16 — June 2025

FATF revised Recommendation 16 (the wire transfer / Travel Rule) on 18 June 2025. The revision aims to make the standard technology-neutral, supporting faster and more transparent cross-border payments while maintaining security. This is a significant update with new information requirements that FIs must incorporate into their systems.

Course Structure

Module 1: FATF R.20 & the Suspicion Standard

The reasonable suspicion threshold, no-amount-threshold principle, good faith obligation, and promptness requirement

Not started

Module 2: Red Flags — Behavioural, Transactional, Geographic

The three categories of suspicion indicators — with specific examples for each

Not started

Module 3: TM System Design

Rule-based vs behaviour-based systems, hybrid approaches, alert triage workflow, and tuning for false positives

Not started

Module 4: Travel Rule & Wire Transfers (R.16 Revised)

June 2025 revision, threshold, required information for individuals and legal entities, beneficiary FI obligations

Not started

Module 5: CTRs, Mobile Money & Emerging Market Challenges

CTR vs STR distinction, mobile money integration, high cash volumes, data quality, and correspondent banking complexity

Not started
Page 1 of 7Course Overview

Module 1: FATF R.20 and the Suspicion Standard

Text of Recommendation 20

"If a financial institution suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity, or are related to terrorist financing, it should be required, by law, to report promptly its suspicions to the financial intelligence unit (FIU)."

Every word in R.20 is deliberate. Understanding the standard requires unpacking five key elements.

The Five Key Elements of R.20

1. Reasonable Suspicion — Not Certainty

The threshold is "suspects or has reasonable grounds to suspect." This is not a proof standard. You do not need to know that criminal activity occurred — you need reasonable grounds to suspect it. Waiting for proof before filing is wrong and likely a breach.

2. No Amount Threshold

Unlike CTRs (cash transaction reports), STRs have no minimum amount. A suspicious transaction of USD 50 must be reported. Small amounts are irrelevant — suspicion is the trigger, not size.

3. Good Faith Obligation

Report in good faith. The obligation attaches even if the FI does not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred. A good-faith report that turns out to be wrong is protected.

4. Incomplete Transactions Must Be Reported

Suspicious transactions should be reported even if not completed — a rejected transaction, an abandoned transfer, an unusual request that was refused. Attempted activity can be as significant as completed activity.

5. Promptness — To the FIU, Not Police

Reports must be made "promptly" — most national frameworks specify timeframes (24 hours to 10 days). The report goes to the FIU. The FIU analyses and disseminates to law enforcement — not the FI directly.

STR vs SAR — Terminology

STR (Suspicious Transaction Report): The term used by FATF and most African and Asian jurisdictions (Kenya, Tanzania, Nigeria, Ghana, India, Bangladesh). Focuses on the transaction.

SAR (Suspicious Activity Report): Used in the US and some other jurisdictions. Broader — covers suspicious activity including attempted transactions and account behaviour patterns even without a completed transaction.

FATF uses "STR" as the standard term. In international training contexts, STR and SAR are often used interchangeably — but check your local regulatory framework for the specific legal term and requirements in your jurisdiction.

Page 2 of 7Module 1

Module 2: Red Flags — Behavioural, Transactional, Geographic

FATF's Approach to Red Flags

FATF does not prescribe a fixed list of suspicious activities — it would quickly become outdated. Institutions must develop their own criteria based on their risk assessment, business context, and typology awareness. In practice, red flags fall into three categories:

Behavioural Red Flags

These relate to how the customer interacts with the FI — not what they transact:

  • Customer reluctant to provide required identification or information — delays onboarding, provides incomplete documents, refuses to answer source of funds questions.
  • Customer provides false, inconsistent, or suspicious identification documents — name variations, expired documents, documents from multiple inconsistent jurisdictions.
  • Customer unusually knowledgeable about reporting thresholds — adjusts transaction amounts to stay just below CTR or TM thresholds (structuring behaviour).
  • Customer nervous, evasive, or aggressive when asked about the purpose of a transaction.
  • Customer instructs staff not to keep records or documentation.
  • Third party conducting transactions on behalf of an account holder without plausible explanation.

Transactional Red Flags

  • Transaction inconsistent with the customer's known business or financial profile — e.g., a salary earner receiving large commercial payments.
  • Sudden, unexplained increase in transaction volumes or amounts without business justification.
  • Transactions with no apparent economic purpose — e.g., funds received and immediately sent onward with no stated reason.
  • Funds received from unknown or unrelated third parties.
  • Complex, multi-step transfers without commercial justification — layering signals.
  • Round-sum transactions repeated multiple times (e.g., exactly USD 9,500 — just below a USD 10,000 CTR threshold).
  • Transactions that appear to be structuring — multiple deposits or transfers that cumulatively exceed a threshold but individually fall below it.

Geographic Red Flags

  • Transactions to/from FATF-listed jurisdictions (black or grey list) with no plausible business connection.
  • Payments routed through multiple jurisdictions for no apparent commercial reason — jurisdiction-hopping to obscure origin or destination.
  • Funds originating from or destined for high-risk, sanctioned, or non-cooperative jurisdictions.
  • Customer or counterparty address in a jurisdiction associated with specific typologies (secrecy jurisdictions for shell company risk, high-drug-trafficking regions for proceeds risk).
  • International remittances from low-income customers in unusually large amounts to specific countries.

Red Flags Are Indicators, Not Proof

A single red flag rarely justifies an STR on its own. The analyst's role is to assess the totality of indicators in context. A round-sum payment from a lottery company is not suspicious; the same round-sum payment from a new retail customer with no clear income source requires investigation. Context is everything.

Page 3 of 7Module 2

Module 3: Transaction Monitoring System Design

Rule-Based Systems

Rule-based TM systems apply static rules to flag specific transaction patterns.

Examples: "Flag all cash transactions above KES 1,000,000"; "Flag all transfers to grey-listed jurisdictions above USD 5,000"; "Flag all accounts receiving more than 10 inbound transfers in 24 hours."

Advantages

Transparent and auditable — regulators can inspect rules. Consistent — same rule applies to all customers. Low initial implementation cost. Easy to explain to a court or regulator.

Disadvantages

Generate high false positive rates — many legitimate transactions trigger the same rules as suspicious ones. Criminals adapt to known rules (structuring). Cannot detect novel typologies not captured in existing rules.

Behaviour-Based / Analytics-Driven Systems

Analytics-driven TM monitors customer behaviour against their own historical baseline and uses machine learning algorithms to detect anomalies from expected patterns.

Advantages

Better at detecting novel typologies. Lower false positive rates over time as the model learns. Can identify unusual behaviour that no static rule would capture.

Disadvantages

Complex and expensive to implement. Require significant high-quality data. "Black box" concerns — difficult to explain to regulators why a specific alert was generated. Vulnerable to model drift.

Hybrid Approaches

Most modern TM systems combine rule-based layers (for known typologies and mandatory regulatory requirements — like CTR thresholds and Travel Rule monitoring) with analytics-based layers (for anomaly detection and novel pattern identification). The rule-based layer provides auditability; the analytics layer provides sensitivity.

The Alert Triage Workflow

Automated alerts generated by the TM system enter a five-stage triage process:

  1. Alert generation. TM system generates an automated alert based on a rule trigger or analytics anomaly. Alert assigned a priority score and queued for analyst review.
  2. First-line analyst review. AML analyst reviews transaction history, customer profile, and open-source information. Makes an initial determination: close as false positive, or escalate for deeper review.
  3. Escalation to compliance team. Complex or higher-risk cases escalated to the compliance/AML team for deeper investigation. Additional data gathered: account history, linked accounts, adverse media.
  4. MLRO review. The MLRO/AMLCO reviews the compiled case file. Makes the definitive decision: file an STR with the FIU, or close the case with documented reasons.
  5. STR filing or documented closure. STR filed with FIU promptly after MLRO decision. Or case closed with documentation of why suspicion was not confirmed. No tipping off at any stage.

MLRO Authority Is Final

A business unit cannot override the MLRO's decision to file an STR. The MLRO cannot be instructed by the business not to file. This independence is a fundamental principle of the second line of defence structure. Where business pressure is applied to suppress STRs, it is itself a red flag for institutional ML risk.

Page 4 of 7Module 3

Module 4: The Travel Rule & Wire Transfers (R.16 Revised June 2025)

Background and Revised Standard

The wire transfer Travel Rule was originally adopted by FATF post-9/11 (October 2001) to support counter-terrorist financing through payment transparency. FATF revised Recommendation 16 on 18 June 2025 — a significant update with two primary aims:

  • Ensuring the standard remains technology-neutral — the same activity, same risk, same rules — across payment systems including SWIFT, instant payment systems, and open banking.
  • Supporting faster, cheaper, safer, and more transparent cross-border payments while maintaining AML/CFT security requirements.

Key Requirements of Revised R.16

Threshold

Countries may set a de minimis threshold no higher than USD/EUR 1,000. Below that threshold, reduced information requirements apply.

Required Information — Cross-Border Payments Above USD/EUR 1,000

The payment message must include:

  • The name and account number of both the originator and the beneficiary, or a unique transaction reference number.
  • For individuals: the originator's address and the beneficiary's country and town name (or nearest alternative).
  • For legal entities: a Business Identifier Code (BIC), Legal Entity Identifier (LEI), or other unique official identifier.

Below Threshold — Cross-Border

Name and account number (or other unique reference) for both parties — no verification required unless ML/TF suspicion exists.

Domestic Payments Above USD/EUR 1,000

Same originator information as for cross-border — unless the information can be made available by other means. No beneficiary information required in the message for domestic transfers.

Beneficiary FI Obligations

The beneficiary FI must have risk-based policies for determining when to execute, reject, or suspend a wire payment that lacks required information, and what follow-up action to take when information is missing.

The "Same Activity, Same Risk, Same Rules" Principle

The June 2025 revision explicitly adopts a technology-neutral approach. An instant payment through a domestic faster payments system, a SWIFT MT103 wire, or a blockchain-based payment — if they all perform the same economic function, they should meet the same information requirements. This principle will increasingly drive regulatory expectations as payment rails diversify.

Page 5 of 7Module 4

Module 5: CTRs, Mobile Money & Emerging Market TM Challenges

CTRs vs STRs — A Critical Distinction

Cash Transaction Report (CTR)

Filed for all cash transactions above a specified threshold (e.g., USD 10,000). Filed regardless of suspicion — it is an administrative report. Purpose: generate a database of large cash flows for FIU analysis. No suspicion required.

Suspicious Transaction Report (STR)

Filed when suspicion exists, regardless of amount. Based on analysis, not just thresholds. Purpose: report specific suspected ML/TF activity for FIU investigation. Suspicion is the trigger, not size.

An FI can receive a suspicious USD 500 transaction that requires an STR but no CTR. An FI can also process an entirely legitimate USD 50,000 cash transaction that requires a CTR but no STR. These are independent obligations.

Structuring Is Itself an Offence

A customer who deliberately keeps cash transactions below the CTR threshold to avoid reporting commits the offence of structuring — even if the underlying funds are legitimate. The intent to evade reporting is the offence. FIs must monitor for structuring patterns and treat them as a red flag for STR filing.

Mobile Money Integration

In Africa and Asia, mobile money platforms (M-Pesa, MTN MoMo, Airtel Money, Wave) process enormous transaction volumes that may not flow through traditional bank TM systems. Key challenges:

  • TM systems must ingest mobile money transaction data — not just bank account data. An FI that monitors only its bank channels while a customer also uses its mobile wallet misses a significant portion of the transaction picture.
  • Mobile money platforms typically have lower KYC thresholds (tiered KYC) — meaning lower-value transactions may have minimal identity information, reducing TM effectiveness.
  • Mobile money-to-crypto-to-overseas wallet corridors represent emerging ML channels (see Course 7 — Digital Assets) that span multiple monitoring systems.

High Cash Volumes

Cash-intensive economies in Africa and Asia generate large numbers of cash-based TM alerts — particularly for street traders, informal sector operators, and agricultural exporters who transact primarily in cash. This creates two problems:

  • Alert overload: TM teams are overwhelmed by volume, leading to inadequate investigation of each alert and missing genuine suspicious activity.
  • Calibration difficulty: Setting thresholds calibrated to Western banking norms produces massive false positive rates in cash-heavy markets. Thresholds must be calibrated to the local customer base's typical transaction behaviour.

Data Quality and Correspondent Banking

Data quality: Incomplete customer data (missing date of birth, partial addresses, multiple name spellings in local vs. transliterated form) makes customer profiling difficult and reduces TM system effectiveness. Investment in data quality at onboarding is the most efficient way to improve TM output.

Nested correspondent banking: Where a bank's correspondent relationship is used by another bank that the correspondent does not directly know (nested correspondent banking), the originator/beneficiary information visible to the FI may be incomplete — showing only the immediate correspondent, not the underlying customer. This is a known gap in R.16 compliance and a focus area for TM system design in banks with large correspondent banking operations.

Page 6 of 7Module 5

Final Assessment

30 questions — Multiple Choice, Scenario-Based, and True/False. Pass mark: 80% (24/30).

Section A: Multiple Choice (15 Questions)

Q1. Under FATF Recommendation 20, the threshold for filing an STR is:

Q2. Which of the following is TRUE about STR filing thresholds?

Q3. The safe harbour protection under R.21 covers FIs that file STRs:

Q4. A Cash Transaction Report (CTR) differs from a Suspicious Transaction Report (STR) in that a CTR:

Q5. FATF revised Recommendation 16 (the Travel Rule for wire transfers) in:

Q6. Under the revised R.16 (June 2025), the maximum de minimis threshold countries may set for reduced information requirements in cross-border payments is:

Q7. For cross-border payments above USD/EUR 1,000 involving individual customers, the revised R.16 requires the payment message to include:

Q8. Which TM system type is best described as applying fixed thresholds and patterns that generate alerts when specific criteria are met?

Q9. A customer deposits USD 9,500 in cash on Monday, USD 9,700 on Wednesday, and USD 9,800 on Friday — each transaction just below the USD 10,000 CTR threshold. This pattern most suggests:

Q10. The key advantage of behaviour-based / analytics-driven TM systems over rule-based systems is that they:

Q11. Which statement about the MLRO's authority in the STR decision process is correct?

Q12. For legal entities in cross-border payments above threshold under revised R.16, which identifier can be used in the payment message?

Q13. Which of the following best describes nested correspondent banking as a TM challenge?

Q14. The term "SAR" (Suspicious Activity Report) differs from "STR" in that SARs:

Q15. The primary purpose of a CTR (Cash Transaction Report) is to:

Section B: Scenario-Based Questions (10 Questions)

S1. A customer makes an exact USD 9,900 wire transfer every Monday for four consecutive weeks to the same overseas account. The customer is a self-employed consultant with an annual income of approximately USD 60,000. What is the most appropriate action?

S2. A TM alert is generated for a transaction. The analyst reviews it and determines it is likely a false positive. The alert is closed without escalation. Six months later, the same customer is arrested for fraud. What compliance question does this raise?

S3. An account manager suspects a customer is structuring cash deposits but is pressured by their manager not to escalate because the customer is a major depositor. What should the account manager do?

S4. A beneficiary bank receives an incoming cross-border wire above USD 1,000 but the message contains no originator name or address — only an account number. Under revised R.16, what should the beneficiary bank do?

S5. A mobile money account shows a series of small inbound transfers from many different users (100+ in one day) followed by a single large outbound transfer to a foreign account. No individual inbound exceeds the TM rule threshold. What does this suggest?

S6. An FI in Kenya manually adjusts its TM system threshold upward to reduce alert volume, without documenting the business justification or conducting a calibration review. What risk does this create?

S7. A transaction is flagged by the TM system but the analyst closes it as a false positive without documenting their reasoning. The same transaction is later reviewed during a regulatory examination. What is the likely regulatory finding?

S8. A client relationship manager informs a client that their account has been "flagged for investigation" and that they "may want to move their funds." What obligation has this breached?

S9. A transaction monitoring system at an African retail bank generates 5,000 alerts per month. The team can only investigate 500. What is the correct response to this capacity gap?

S10. The revised R.16 (June 2025) adopts a "same activity, same risk, same rules" principle. What does this mean in practice for an FI using a non-SWIFT instant payment system?

Section C: True or False (5 Questions)

TF1. Under FATF Recommendation 20, an FI is only required to file an STR for transactions that are ultimately completed — attempted or rejected transactions do not trigger a reporting obligation.

TF2. Structuring — deliberately keeping cash transactions below the CTR threshold — is an offence even if the underlying funds are from legitimate sources.

TF3. Rule-based transaction monitoring systems generate lower false positive rates than behaviour-based systems because they are more precisely calibrated to individual customer profiles.

TF4. The June 2025 revision to FATF Recommendation 16 adopts a technology-neutral approach, meaning the same information requirements apply regardless of the payment system used.

TF5. STRs are filed with the Financial Intelligence Unit (FIU), not directly with law enforcement or police.

Congratulations — you have passed!

Enter your name to generate your certificate of completion.

Certificate of Completion

Anqa Compliance

This certifies that

has successfully completed

Transaction Monitoring: Building Effective Alert Frameworks

anqacompliance.com | Free AML Training Series

Page 7 of 7Assessment
All Courses