The U.K.’s money laundering regulations require firms to have arrangements in place to effectively monitor and scrutinise transactions and to identify and report potentially suspicious activity indicative of money laundering or terrorist financing. To enable compliance with these requirements, many firms implement automated transaction monitoring (TM) systems which analyse customer transactions, often against a set of risk-based rules, to flag potentially suspicious activity. These TM systems are just one element of a firm’s overall TM operating model. Best practice dictates they should be supported by a broader framework including risk assessments, policies, procedures, appropriately skilled staff, governance arrangements and management information (MI).

At its most basic level, the purpose of an automated TM system is to generate alerts where a transaction or set of transactions is outside typical customer behaviour, which may indicate suspicious activity. However, amid a global pandemic which has impacted normal behaviour and activity, how does a TM system continue to provide valuable ongoing monitoring? We think this upheaval presents a good opportunity for firms to re-evaluate the fundamental building blocks that make up an effective TM system and framework, review their current approach and make enhancements, factoring in the impacts of COVID-19 on customer activity and firms’ operating approach.

Outlined below are elements that, in our opinion, are critical to ensuring the ongoing effectiveness of a TM operating model. We have also provided some points for firms to consider in the context of the current COVID-19 pandemic.

Risk-Based Approach

A risk-based approach to monitoring underpins an effective and efficient TM programme, ensuring resources are focused on areas that present a higher risk of financial crime. This requires firms to have a solid understanding of the inherent risks they face from their customers, the delivery channels through which they operate, the products and services they offer, the countries or geographic areas in which they and their customers operate and the nature of transactions undertaken.2 The U.K. national risk assessment, which provides further insight into financial crime risks that the U.K. may face, can also inform the risk assessment.3 These factors should be laid out within a firm’s business-wide risk assessment (BWRA). 

Institutions should use their BWRAs to design their risk-based scenarios and rulesets within the TM system, or in design of alternative controls and continue to monitor effectiveness. These scenarios and rulesets should be continuously adjusted as criminal behaviour evolves and knowledge of how illicit activity is conducted is recognised and better understood.

A firm must also be able to accurately and consistently risk rate its customers. Using an appropriate customer risk assessment (CRA) tool enables a firm to identify and conduct enhanced monitoring and provide oversight of higher risk customers. 

How has COVID-19 impacted the risks applicable to your firm? Have you considered financial crime typologies emerging during the pandemic within your risk assessments and your TM framework? For example, are non-essential, cash-intensive businesses such as hair and nail salons or dry cleaners continuing to show significant, or even increased activity during periods where their business have been forced to close by the government? Is this indicative of a business being used as a front for organised crime?
Core Data Quality and Lineage

The output of a TM system is only as good as the data put into it. Whether maintaining current systems or adopting new ones, firms should consider the robustness of data feeding into their TM system and how it flows through the solution. Many core data systems were developed when TM was largely manual and have grown organically as operations have expanded. This has resulted in disconnects between systems, impacting the data consistency and quality. Firms must ensure relevant data is correctly loaded into and used by the TM system to inform customer segmentation and alert generation.

In our opinion, ongoing assessment of data quality and data lineage and flow between systems, often led by a firm’s IT function, is critical in understanding and assuring a TM solution’s functionality.

Does the data flowing through the TM system correctly differentiate between transaction types, i.e., between wire transfers and cash transactions?

Firms should carefully consider which transactions or products may be appropriate to exclude from automated monitoring (such as account fees, interest payments, or even certain capital markets products which may be better monitored through other systems) whilst being vigilant to risks of “over exclusion”. We have observed circumstances where inherent risks are overlooked in the effort to reduce alert volumes. For example, excluding transactions between a firm’s own customers, relying purely on customer due diligence (CDD) measures, can lead to a failure to identify and consider potentially unusual links between customers. Given this, we believe it is essential for firms to take a risk-based approach to filtering transactions, which includes a critical analysis and evaluation of the appropriateness of exclusions in the context of potentially suspicious activity. Firms should ensure they document the analysis and rationale for exclusion as evidence for the thought process and the appropriateness of the approach.


Firms can use segmentation to adapt rules to specific customer sets and appropriately tailor rules for transactions. For example, rules which apply to a corporate customer may be different to an individual customer as the two will differ in their type and level of activity. The ability to segment is challenged by the CDD data a firm holds, whether issues relate to format, completeness, or accuracy. Where data points are incomplete, an automated TM system’s ability to properly segment customers is diminished. Firms can use digitised versions of CDD records to help. By recording customer data in an electronic system with the capability to pull specific data points, firms can enable better analysis and appropriate customer segmentation, facilitate a more robust and centralised audit trail and more widely share information across their financial institution. 

Would a cash-intensive, non-essential businesses segment help identify unusual activity when these businesses are forced to close during the pandemic?
Rulesets, Scenarios and Thresholds

A TM system’s fundamental component is its rules and scenarios and the way these are tailored to firms’ business models. The most widely used TM solutions in the market have several pre-defined rules that can be selected at implementation. A common pitfall, in our experience, is firms not tailoring the off-the-shelf rules to suit their business and its inherent risks. This will typically result in rules that seldom trigger, or result in relatively high rates of unproductive, false-positive alerts. Firms that carefully consider and select rules relevant to their customers’ expected behaviour and the inherent risks in their business model have the most effective TM systems.

Equally important as the selection of relevant rules and scenarios, is the selection of appropriate rule parameters and threshold values. An analysis of typical customer behaviour, which may be further reduced to a segment of customers, should be conducted to inform the parameter and threshold selection. In some cases, this analysis takes the form of above-the-line/below-the-line testing, where alerts from a specific period are tested to determine where thresholds should be set to reduce false positive volumes and produce productive alerts. Using segmentation, firms can tailor thresholds to sets of customers with similar behaviours; for example, an ultra-high-net-worth individual is likely to have a different level of transactional activity than a university student. As with exclusion logic, it is crucial for firms to document the analysis undertaken and the rationale behind the rule, parameter and threshold selection to demonstrate how the system configuration has been tailored. 

TM systems should not be static and require further tuning and calibration over time as criminal behaviours, customer profiles, and products evolve. Firms should review rule thresholds and parameters as part of a regular cycle and at trigger events to determine whether settings are still appropriate and generating productive alerts. All testing and decision-making activities should be well documented and subject to proper sign-off.

What rules are appropriate for COVID-19, specifically?Is there a specific rule to consider during lockdowns when activity is bound by government guidelines?Should normal or increased cash activity raise suspicion in a period of heightened caution and a move towards cashless payments?How do parameters and thresholds need to be adjusted?
Working the Alerts and Escalations

Once alerts are generated, they must be reviewed. It is crucial firms have sufficient and appropriately skilled resources to conduct alert reviews and subsequent investigations, where required. Robust policies and procedures should guide these resources.

Reviewers should refer to a customer’s CDD information during an alert review to understand how the customer’s activity compares to the documented understanding of expected activity, a core piece of information collected during the CDD process. Only through a clear understanding of expected customer activity can potentially unusual activity can be identified and analysed. Incomplete, inaccurate, or out of date CDD information inhibits the alert reviewer in making a determination on the alert. This highlights the importance of refreshing and properly storing CDD data and demonstrates how TM fits into wider ongoing monitoring; for example, alerts may trigger an event-driven review, an essential tool for maintaining up to date CDD records.

A firm’s compliance function should offer support and advice to the review team and relationship managers (RM) where needed (some firms will have forums for this purpose). All interactions should be underpinned by a framework of reasonable and manageable service level agreements (SLAs) to ensure firms are complying with regulations that require suspicious activity to be reported to the National Crime Agency (NCA) within a “reasonably practicable”4 timeframe. Firms will often require escalation using a template which broadly reflects the expectations for suspicious activity report (SAR) filing to the NCA.

Are enough people trained in alert review and investigation to allow for the absence of one or more team members?Is the team sufficiently able to remotely review alerts and access CDD data to appropriately adjudicate alerts? Are reviewers considering transactions in the context of current pandemic-related circumstances and whether these raise new typologies, such as trafficking of counterfeit medicines? Do SLAs provide enough time in the event of staffing constraints? Are customers given more time to respond to RM queries due to potential business and information hurdles?
Management Information, Assurance, and Feedback Loops

Effective MI is key to monitoring and improving the performance of the system over time. MI should not only present quantitative data, but it should also provide insight into underlying trends and alert typologies. For example, there is little value in understanding how many low-risk customers generated alerts, but a firm may gain insight for calibration purposes, or to better understand its financial crime risks by asking which products or at what value scenarios are triggered. MI should also inform assurance programmes and prioritisation of compliance monitoring activities to test the effectiveness of the TM solution. 

The value of insights gained from MI or assurance activities will be lost if they are not fed back into the processes and used to improve the TM solution. This feedback can be applied to any of the considerations discussed. For example, MI that reports high volumes of false positives produced for high-net-worth individuals withdrawing large amounts of cash could indicate further segmentation and better-tuned scenario thresholds could be beneficial. Assurance programmes could, for example, identify gaps in monitored products, which may lead to an assessment of system inputs and data feeds. MI should be escalated upwards to senior management and the board where appropriate and used to action necessary projects to ensure TM controls are working effectively to detect, manage, and mitigate financial crime risk.

Have you performed specific TM stress tests due to COVID-19? Have findings from such risk assessments and reviews
 been put into an action plan? Is the review team cognisant of any COVID-related SARs that have been raised and fed back into a typology?

A TM framework can be rendered ineffective if not underpinned by strong governance. Aspects of strong governance include appropriate documentation outlining agreed processes and system configuration, relevant sign off on all system implementation and changes, insightful MI to inform relevant functions across the first and second lines of defence, effective communication, and a framework to empower well-informed decisions by senior management. Firms should make decisions in relevant governance forums with attendees from the appropriate stakeholder departments and functions, e.g., business heads, compliance, or IT. Forums should evidence discussion and challenge on issues, risks, or concerns considered. Appropriate management and oversight are vital to support a robust TM programme and prevent adverse regulatory, reputational, and financial consequences.

Have governance programmes effectively adapted to remote working conditions? Do policies and procedures appropriately discuss the security of  CDD information and alerts in a work-from-home environment?
Key Takeaways

TM is not just a requirement under U.K. regulation, but is an important tool used by the financial services industry in the battle against financial crime. For TM systems to be effective, they must be reviewed regularly and tailored appropriately. Firms must consider the specific risks of the business, the data available, the customer base, and the supporting infrastructure — all through the lens of proportionality. With COVID-19 altering normal customer behaviour, firms should review the end-to-end inputs of their TM solutions and update these as needed to suit current conditions and take a proactive approach preparing for similar events in the future.

In our experience, for a firm to have an effective and efficient TM solution, it should:

  • Customise its approach according to the specific financial crime risks posed by its business model, employing effectual customer segmentation and tailored rulesets 
  • Use high quality data inputs and appropriate filtering
  • Use CDD information to enable proper alert adjudication and investigation, working in tandem with RMs and compliance when needed 
  • Use MI to assess, tune, and calibrate the performance of TM systems on an ongoing basis, focusing on and particularly in light of emerging financial crime typologies
  • Execute robust assurance and governance over the solution
  • Update frameworks and systems as needed, for example, when prompted by global events such as COVID-19
How Kharis and Knoble Can Help

Kharis and Knoble can review systems to ensure firms are operating TM programmes which meet regulatory expectations and fulfil the goal of effectively identifying suspicious activity in a manner that is applicable and proportionate to a firm’s business model. Please contact one of our specialists for further information or initiate a discussion on how Kharis and Knoble can advise you.