Keeping pace with financial crime

ME PoV Spring 2020 issue

A dynamic approach to Transaction Monitoring

Transaction Monitoring in focus

In April 2019, a leading UK bank with a presence in the United Arab Emirates was fined £102.2 million for failure to have sufficient Anti-Money Laundering (AML) controls. Key to this was its failure to identify suspicious transactions and investigate them properly, despite red flags. AML controls may have allowed it to report such transactions to the regulatory authorities, including the Financial Intelligence Unit, in a timely manner and take corrective actions. If it had been able to do so, perhaps it could have avoided the significant reputational and financial damage it incurred, and provided the right tools to its team to protect the bank from such financial crime risks.

Banks today facilitate millions of transactions daily, many of them cross-border, and rely on expensive transaction monitoring systems to monitor them and report the suspicious ones for investigation.

Transaction monitoring typically involves the use of a set of rules to identify specific transactions that appear suspicious, in the form of alerts. These alerts are then investigated and, if deemed to be truly suspicious, reported to the regulators for further instructions.

There are limitations to using software to perform this initial review though. In an ideal world, each transaction would be reviewed in detail before being processed. Realistically, the immense number of resources required for this manual intervention would fall out of any financial institution’s (FI) appetite and may be impractical. Therefore, the reliance on software to perform this first review is vital.

Common problems

One of the key failures associated with AML fines are strong and effective transaction monitoring controls. This includes a transaction monitoring system with an ability to detect the suspicious activities and a framework to analyze, investigate and respond effectively with appropriate governance mechanisms.

So how does a bank ensure that truly suspicious transactions are detected without the additional burden of having to investigate false positives? This is a common problem faced by banks globally.


There are no definitive descriptions of what is truly suspicious behavior. When performing transaction monitoring, one must consider the customer’s usual activity to determine if their current behavior appears to be out of character. The difficulty lies in separating the suspicious from the unusual, but justified, transactions. As per a study, only between 0.5-7 percent of alerts reported to the regulators by FIs are truly suspicious.
International best practice gives us guidance on how to perform effective transaction monitoring. This includes an inherent risk assessment to identify the risks posed to FIs, how to select the rules used for monitoring, and how to investigate alerts of truly suspicious behavior. 


Most transaction monitoring solutions make use of rules to detect suspicious behavior such as structuring of payments, placement of illicit funds and disguising funds, to name a few. Typical transaction monitoring solutions come with a set of pre-defined rules. The FI making use of this solution would select a number of rules that are applicable to them based on their business risks.

One approach for configuring the rules is a top-down approach. Customers are categorized based on known attributes. The rules are then configured for each customer category or segment. For example, a higher-risk customer will be subject to a higher level of scrutiny than a lower-risk customer.

Another approach is a bottom-up approach in which data is driven by data mining and unsupervised modelling. Customers are clustered based on transactional behavior. Thresholds are then established through a data-led tuning process to reduce false positives and increase true positives in each set.

Moving to Machine Learning-based dynamic transaction monitoring

Currently, transaction monitoring follows a static approach focused on tuning the rule thresholds to detect suspicious behavior and reduce false positives. The rules are determined to detect anomalies and customers are viewed as having a somewhat consistent profile and risks. In reality, criminal behavior is constantly changing to circumvent detection. This requires the FIs to take a more dynamic approach to how they perform transaction monitoring. 

Machine learning is an emerging focus area in transaction monitoring which can be deployed in a supervised or unsupervised state. Supervised machine learning makes use of a teacher to categorize data that is already labelled. It then develops the algorithms to find the best way to determine how to label the data. Unsupervised machine learning, on the other hand, does not have the labels determined within the data set. Rather, the model is left to determine the required labels on its own based on past behavior.

In the dynamic approach, unsupervised machine learning can be used to cluster the customers with no pre-set definitions by adapting to their changing profile and behavior. 

Unsupervised machine learning requires comparison variables. These variables may include a customer’s historical behavior, such as: value and volume of transactions, geography of transaction, and products/channels used.

As a customer’s behavior is expected to change, clustering can be performed on a continuous basis to address these evolving variables. In this instance, algorithms are used to create clusters by identifying similarities continually. For example, customers with a similar transaction profile will be categorized into one cluster. Consequently, the rule thresholds can be optimized dynamically to improve the relevance of the threshold for each customer cluster.

Machine learning can also assist with performing anomaly detection. It can assist with the decision-making process of whether an alert is truly suspicious or not. Following the generation of an alert, manual intervention is required. An investigator is assigned the alert to drill further into the detail. From this investigation, the alert is classified as indicative of money laundering and terrorist financing, or not truly suspicious. These decisions can be used to teach a machine how to make this decision. The machine will determine what variables usually result in an investigation and a suspicious transaction report, and when these variables result in a false positive alert. From this historical data, the model will be able to predict the outcome of the alert.


Machine learning and Artificial Intelligence are a hot topic among AML solution vendors. There are many solutions today that provide the tools to use quantitative abnormalities within a transaction data set to guide the process of tuning and optimization.

These solutions may provide an FI with the ability to perform machine learning, however, without sufficient understanding of customer behavior and AML/Counter Terrorist risks, they may fail to implement effective transaction monitoring.

Furthermore, the solutions themselves are typically not built with the functionality to consider real world experiences that are growing and changing dynamically.

In order for an AML turnkey solution to be utilized dynamically, detailed subject matter knowledge must be leveraged to enhance the true potential of the solution. By coupling real world experiences with powerful, automated software, the transaction monitoring process will be transformed to keep pace with ever-evolving financial crime activity.

by Nick Athanasi, Partner, Nipun Srivastava, Director and Nicki Koller, Assistant Manager, Financial Advisory, Deloitte Middle East

Did you find this useful?