obOpen Banking Lab
GlossarySTETBlogContact
Security

Transaction monitoring

Transaction monitoring (AML/CFT transaction surveillance)

Real-time or batch monitoring of a customer's flows to detect atypical (AML/CFT) or fraudulent operations. A key operational building block between KYC and a TRACFIN suspicious activity report.

See also:AML / LCB-FTAPP fraudScreening sanctionsTRACFINKYC / KYB

Definition

Transaction monitoring continuously tracks — in real time or batch — a customer's flows in order to detect atypical operations linked to money laundering, terrorist financing or fraud.

It is the operational link between KYC onboarding ("I know who this is") and a TRACFIN suspicious activity report ("I'm flagging what's abnormal"). It combines rules engines, ML models and teams of analysts.

The typical pipeline

  1. Ingestion: transactions, KYC, device context, history.
  2. Enrichment: geolocation, MCC, beneficiary classification, device scoring.
  3. Scenarios: deterministic rules and ML models (statistical anomalies).
  4. Alerts on at-risk transactions or customers.
  5. Triage: auto-clear or auto-block on some, escalation of the rest.
  6. Human review by an analyst, who confirms or rejects.
  7. Action: blocking, request for information, TRACFIN report, reporting.

AML/CFT vs anti-fraud

Often in the same tool, two distinct objectives:

  • AML/CFT: detect money laundering, terrorism, tax fraud — a medium/long-term horizon, action = TRACFIN report.
  • Fraud: detect a compromised account, APP fraud, card fraud — a real-time horizon, action = blocking before execution.

Modern vendors (Hawk, Sardine, Featurespace, Feedzai) offer both on a single platform.

Classic scenarios

  • AML/CFT: structuring/smurfing (small amounts below the threshold), pass-through accounts, high-risk countries, activity inconsistent with the profile, network analysis (linked accounts), cash-intensive activity.
  • Fraud: login from a new device followed by a transfer, a first transfer to an unknown foreign IBAN, stolen-card testing, inconsistent geolocation, velocity, mule patterns.

Rules vs ML

  • Deterministic rules: auditable, but lots of false positives (up to 95% at legacy players).
  • Supervised ML: more accurate, fewer false positives, but requires labels (confirmed alerts).
  • Unsupervised ML: detects anomalies without labels, useful for new attack types.
  • Hybrid: rules + ML + human-in-the-loop, the best scores on the market.

The real debate: opaque ML vs explainability. The ACPR requires understanding why a transaction is blocked — hence explainable models (SHAP, surrogate trees).

The alert-volume challenge

A mid-sized bank generates several thousand alerts a day. Targets for a good engine: fewer than 10% of alerts confirmed, more than 50% handled automatically, and 5 to 30 minutes of human processing per remaining alert. Continuous optimisation (rule review, ML retraining, hunting down false positives) is a full-time job.

What transaction monitoring is not

  • Not a substitute for KYC: without a reference profile, it is blind.
  • Not a guarantee of zero fraud: no solution catches 100% of cases.
  • Not mass automatic blocking: over-blocking generates complaints, ACPR sanctions and costs.
  • Not static: rules and models must be reviewed continuously (drift).

Within the PSD2 ecosystem

It is an AML/CFT obligation (AMLD), hence required for all PSD2 PSPs, and a PSD2/PSR concern around APP fraud (spotting suspicious transactions before execution). DORA adds an operational-resilience requirement on the monitoring system itself.

Real-world examples

  • Specialists: Hawk (DE, ML-first), ComplyAdvantage (UK), Sardine (US, crypto + fintech), Featurespace (UK), Feedzai (PT), Quantexa (network analysis), NICE Actimize and SAS AML (large accounts).
  • Neobank: a customer receives €5,000 from an unknown IBAN and re-transfers €4,800 to a crypto wallet in 5 minutes → alert → review in 10 min → request for justification → blocking and TRACFIN report if insufficient.
  • APP fraud: an €8,000 transfer to a new beneficiary at 10 pm triggers friction (pop-up, 24h delay, phone verification), with fraud reductions reported by the major banks.
  • Solaris (DE): sanctioned by BaFin in 2023 for monitoring failures (growth cap, engine overhaul).
  • Scale: having grown from 1 to 10m customers, Revolut had to rethink its engine (rules-only → ML + 24/7 teams).
  • Cost: €0.1 to €1/customer/year in tooling plus ~1 FTE per 50 to 100k active customers — i.e. €2 to €4m/year for 1m customers.
  • Trend: graph analytics for mule networks, and cross-bank signal sharing (UK Finance project), to be balanced against GDPR.

Sources

Back to glossary