Transaction Monitoring in AML: How Rule-Based and Behavioural Detection Work

June 18, 2026• 9 min readtransaction monitoringAML monitoringtypologiesrule tuning

How AML transaction monitoring works end to end — rule-based versus behavioural detection, batch and streaming evaluation, typology-aligned rule packs, back-testing and tuning, and how alerts feed case management.

Transaction Monitoring in AML: How Rule-Based and Behavioural Detection Work

Customer risk assessment tells you who you are dealing with. Screening tells you whether they appear on a list. Neither watches what they actually do once the account is open. That is the job of transaction monitoring: the discipline that observes payments, transfers, deposits, and withdrawals as they happen and raises an alert when behaviour looks like money laundering, terrorist financing, or sanctions evasion rather than ordinary commerce.

Transaction Monitoring in AML is where rule-based and behavioural detection do their work, and it is the part of the programme regulators probe hardest because it is the part most likely to be either negligently quiet or hopelessly noisy. Get the logic right and you surface genuine risk your other controls cannot see. Get it wrong and you either miss the laundering or bury your analysts under thousands of false positives. This article explains how monitoring works end to end — the two detection styles, how transactions are evaluated in batch and in real time, how rules are written and tuned, and how an alert becomes an investigated case. It is one chapter of the wider story told in the complete AML platform guide.

Where monitoring sits in the AML programme

Transaction monitoring is the continuous, ongoing-due-diligence layer of your financial-crime controls. Onboarding and screening are point-in-time checks performed when a relationship begins or a list changes. Monitoring is permanent: it runs against the stream of activity for the life of every account, and it is the control most likely to detect that a customer who looked low-risk at onboarding has started behaving like a money mule.

Its output is not a decision; it is a signal. A monitoring rule does not freeze an account or file a report — it raises an alert that a human investigates. That distinction sets the standard for good monitoring: the goal is not to fire as often as possible, nor as rarely as possible, but to fire on the patterns a trained analyst, given the same data, would agree are worth examining. Everything that follows — rule design, tuning, back-testing — exists to move the system closer to that standard. And all of it depends on the data beneath it, a point we return to at the end.

Rule-based detection: thresholds, structuring, velocity, peer groups

Rule-based detection is the established core of transaction monitoring. A rule encodes a known indicator of suspicious behaviour as an explicit, testable condition. When the condition is met, the rule fires. Four families cover most of the ground.

Threshold rules trigger when a single transaction or an aggregate over a window crosses a value. A cash deposit above a reporting threshold, or total inbound transfers exceeding a customer's expected monthly turnover, are classic examples.
Structuring (smurfing) rules look for deliberate fragmentation — many transactions sized just under a reporting threshold, spread across days, branches, or channels, that add up to a large total. These catch the customer who knows the reporting limit and works around it.
Velocity rules watch the rate and pattern of activity rather than the amount: a dormant account that suddenly transacts dozens of times in a day, rapid pass-through where money in equals money out within hours, or a sharp change from a customer's established baseline.
Peer-group rules compare a customer against others with the same risk profile, business type, or product. An account whose behaviour is normal in isolation but a clear outlier against its peer group is exactly the kind of anomaly a flat threshold misses.

The strength of rule-based detection is that it is explicit and explainable. When a structuring rule fires, you can show the examiner the exact condition, the transactions that met it, and the threshold that was set. The weakness is that rules detect what you already know to look for. A novel laundering pattern that no rule describes passes unnoticed until someone writes a rule for it. That is why mature programmes pair rules with behavioural detection.

Behavioural and statistical detection

Behavioural — or statistical — detection takes the opposite starting point. Instead of asking "does this transaction match a known bad pattern?" it asks "is this behaviour normal for this customer, this segment, this point in time?" It builds a baseline of expected activity and flags significant departures from it: a salaried account that begins receiving large international wires, a merchant whose deposit profile no longer fits its declared business, a sudden coordinated change across a cluster of linked accounts.

The value of the behavioural approach is that it surfaces suspicious activity no rule anticipated, because it is anomaly-driven rather than pattern-matched. Its cost is interpretability: an analyst, and ultimately a regulator, needs to understand why something was flagged. This is where explainable AI matters. Creodata's AI surfaces carry a model and version label, a confidence percentage, and SHAP-style top-three reasons for every score, with a human Accept, Modify, or Reject control and every decision logged with model version and inputs. Behavioural detection should widen what you can see, never become a black box you cannot defend.

In practice the two styles are complementary, not competing. Rules give defensible coverage of known typologies; behavioural detection gives reach into the unknown. A serious monitoring programme runs both and lets each compensate for the other's blind spots.

Batch versus streaming evaluation

Detection logic has to run against transactions somehow, and there are two modes — they are not alternatives so much as different jobs.

Batch evaluation processes accumulated transactions on a schedule, typically end-of-day or end-of-period. It is the right mode for rules that inherently need a window of history: aggregations, structuring patterns spread over days, and peer-group comparisons that require a settled population. Batch is also how you reprocess historical data when a rule changes.

Streaming evaluation assesses transactions as they arrive, in or near real time. It is essential where the response has to be immediate — sanctions-related interdiction, or high-velocity channels such as mobile money and instant payments where a pass-through scheme can move funds out before any nightly batch ever runs. Real-time mobile-money flows in particular reward streaming monitoring, a pattern explored further in our note on monitoring patterns for mobile-money channels.

Creodata's Transaction Monitoring service supports both batch and streaming evaluation from the same rule definitions, so a rule you write and tune once can run nightly over aggregates or react in the moment, depending on what the typology demands.

Writing rules: the DSL, the starter pack, and the typology library

Encoding detection logic in code that only engineers can change is a recipe for slow, brittle monitoring. Creodata's Transaction Monitoring service instead exposes a rule DSL — a domain-specific language with a parser, planner, and executor — so compliance teams can express detection logic as readable, testable rules rather than buried application code. The parser validates the rule, the planner works out how to evaluate it efficiently, and the executor runs it in batch or streaming mode.

You do not start from a blank page. The service ships a starter pack of 30-plus typology-aligned rules covering the patterns that matter across structuring, velocity, pass-through, rapid movement, and high-risk corridors, so a new tenant has credible coverage from day one. These rules are organised by a built-in typology library that maps each rule to the laundering method it is designed to detect, which keeps the rule estate intelligible: you can see at a glance which typologies you cover and which you do not.

Understanding the methods behind the rules is its own subject. The patterns these rules detect — placement, layering, integration, and the specific schemes that show up in East African institutions — are covered in our guide to the money-laundering typologies behind monitoring rules. For institutions that also report through goAML, the indicator codes that map suspicious patterns to structured reports are set out in our Kenya STR indicator library.

Back-testing, tuning, and versioned promotion

A rule you have never tested is a guess. Before a new or changed rule goes anywhere near production alerts, you need to know how it would have behaved against real history — how many alerts it would have raised, against which customers, and how many of those would have been noise.

The Transaction Monitoring service provides a back-test harness for exactly this: you run a candidate rule against historical transaction data and see its hit pattern before it ever fires for real. That feeds the tuning lab, where thresholds, windows, and conditions are adjusted to balance coverage against alert volume. Tuning is not a one-off; customer behaviour drifts, new products launch, and thresholds that were sensible last year over-fire this year, so tuning is continuous.

Crucially, rule changes are not edited live. The service uses versioned rule promotion: a rule is authored, back-tested, and tuned in a controlled state, then promoted to production as a new version, leaving a complete record of what changed, when, and on what evidence. When an examiner asks why a threshold is set where it is, you can show the back-test that justified it and the version history of every adjustment. That auditability is the difference between a tuning decision you can defend and one you merely assert.

The aim of all this tuning is to reduce false positives without creating false negatives — a balance that deserves its own treatment in reducing the false positives monitoring generates.

From alert to investigated case

A monitoring alert is the start of a process, not the end. When a rule fires, the alert has to reach an analyst, get assigned, be investigated against the full customer context, and end in a documented disposition — closed as a false positive, escalated to enhanced due diligence, or progressed toward a suspicious-transaction report.

In Creodata's platform, monitoring hands alerts directly to Case Management, where they enter an alert queue with assignment, an SLA clock that can pause and resume during a request-for-information cycle, a linked-case graph, and an escalation path. Because monitoring and case handling share one tenant, one identity model, and one immutable audit log, the analyst sees the alert, the transactions that triggered it, the customer's risk rating, and any related cases in a single view rather than reconciling three systems by hand. The full investigation lifecycle is covered in how alerts become investigated cases.

This hand-off is also why false-positive tuning is not optional. Every weak alert that reaches Case Management consumes analyst time that should go to real risk. Under-tuned monitoring does not just generate noise; it degrades the quality of every investigation by drowning genuine signals in volume.

The data dependency you cannot skip

None of this works on bad data. A velocity rule needs reliable timestamps; a structuring rule needs accurate amounts and channels; a peer-group rule needs clean customer-segment attributes. If transactions arrive incomplete, duplicated, or wrongly mapped, the most carefully tuned rule estate produces confident nonsense.

That is why monitoring sits downstream of disciplined ingestion. Creodata's Ingestion service provides connectors for REST, SFTP, Kafka, CDC, and ISO 20022 with idempotency, replay, a dead-letter queue, a field-mapping UI, and source certification, while the Data Requirements service scores rule-by-rule readiness so you know whether each rule has the attributes it needs to run. Treat data quality as a precondition for monitoring, not an afterthought, and the rules you write can be trusted to mean what they say.

Frequently asked questions

What is the difference between rule-based and behavioural transaction monitoring?

Rule-based monitoring encodes known indicators as explicit conditions — thresholds, structuring patterns, velocity, peer-group outliers — that fire when met, and is fully explainable. Behavioural monitoring builds a statistical baseline of normal activity and flags significant departures from it, which lets it catch novel patterns no rule anticipated. The two are complementary: rules give defensible coverage of known typologies, behavioural detection extends reach into the unknown. Mature programmes run both.

Do I need real-time (streaming) transaction monitoring, or is batch enough?

It depends on the typology and the channel. Batch evaluation suits rules that need a window of history — aggregations, multi-day structuring, peer-group comparison. Streaming is essential where the response must be immediate, such as sanctions interdiction or high-velocity channels like mobile money where funds can move out before a nightly batch runs. Creodata's Transaction Monitoring service runs both modes from the same rule definitions, so most institutions use a mix.

How do I stop transaction monitoring from generating too many false positives?

Through disciplined tuning, backed by evidence. Use a back-test harness to see how a candidate rule would have behaved against historical data, adjust thresholds and windows in a tuning lab, and promote changes as versioned rules so every adjustment is recorded and auditable. Tuning is continuous because customer behaviour drifts. We cover this in depth in reducing the false positives monitoring generates.

What happens after a monitoring rule raises an alert?

The alert is handed to Case Management, where it is queued, assigned to an analyst, and investigated against the full customer context — transactions, risk rating, linked cases — with an SLA clock and an escalation path. The investigation ends in a documented disposition: closed as a false positive, escalated to enhanced due diligence, or progressed toward a suspicious-transaction report. Because monitoring and case handling share one audit log, the whole chain is traceable.

Transaction monitoring is only as good as the rules behind it, the data beneath it, and the investigation process in front of it — and it works best when all three live on one system rather than three. To see how the Creodata AML Platform ties typology-aligned rule packs, batch and streaming evaluation, back-testing, and case hand-off into a single auditable workflow — supported where needed by our financial-crime compliance advisory and integrated with the goAML Reporting Platform — book a demo and we will walk you through monitoring on your own scenarios.

Adverse Media Screening: Catching the Risk Sanctions Lists Miss
Sanctions and PEP lists only show known, designated risk. Adverse media screening surfaces the rest — how negative-news screening works, how to filter for relevance and recency, and where it fits in onboarding, EDD and periodic review.
Audit-Ready AML: Evidence-First Investigations and the Four-Eyes Principle
When an examiner asks you to walk through a single decision, can you? How an append-only audit trail, evidence-first design and the four-eyes principle make every AML decision reconstructable — and inspections far less painful.
AML Case Management: From Alert to Disposition Without Losing the Audit Trail
A walk through the AML case lifecycle — queue assignment, the RFI cycle, SLA management, linked-case investigation, EDD, escalation, and the decision to file or close — built so every step leaves an audit trail.
Why AML Detection Fails Without Data Quality: Ingestion, Mapping, and DQ Rules
No monitoring rule can catch what bad data hides. How disciplined ingestion, field mapping, source certification and data-quality rules give your AML platform the clean, complete data it needs to detect and report accurately.