Leave an application
COREDO > Blog > Transaction monitoring common scenarios that trigger alerts

Transaction monitoring common scenarios that trigger alerts

Avatar photo
Updated: 18.01.2026
Content

To summarize my experience as the founder of COREDO, most questions and problems for international businesses today arise not from company registration or even from obtaining a license, but from how to move forward in a world of continuous transaction monitoring and strict AML compliance requirements.

An entrepreneur sees one thing: “the payment was delayed again”, “the bank requested a package of documents”, “the client’s wallet is blocked pending investigation”.
But here’s what’s happening behind the scenes: a complex AML transaction monitoring system, hundreds of AML rules, dozens of AML scenarios, thousands of AML alerts daily and a constant struggle between risk and customer experience.

In this article I’ll break down three things:
  1. which typical suspicious transaction monitoring scenarios most often trigger alerts;
  2. how these scenarios look from the perspective of a bank/fintech/licensed company;
  3. what an owner or chief financial officer can do to reduce the number of unnecessary alerts without exposing the business to regulatory risk.

I base this on COREDO’s real-world practice: company registration in the EU and Asia, obtaining financial licenses, setting up AML functions and supporting clients in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore, Dubai and other jurisdictions.

Why a payment ends up in AML monitoring

Illustration for the section «Why a payment ends up in AML monitoring» in the article «Transaction monitoring – common scenarios that trigger alerts»
Any bank, fintech, payment institution, crypto exchange or virtual asset service provider is required to have a functioning anti-money laundering monitoring system. This is not “desirable”, but a direct requirement of regulators in the EU, the United Kingdom, Singapore, the UAE, and many countries in Asia and the CIS.

Inside such a system there are always three layers:

  • KYC and transaction monitoring
    Customer profile, customer risk rating, customer behavior profile, expected turnover and expected transaction pattern. It is precisely through the combination KYC + transaction monitoring that the system determines whether this transaction is normal for a specific customer.
  • Rule-based / scenario-based transaction monitoring
    A set of aml scenarios and aml rules that catch unusual transaction patterns, high-risk transactions, cross-border transactions with increased risk, operations with high-risk jurisdictions, PEPs and sanctions alerts, etc.
  • Alert handling & investigations
    Generation of transaction monitoring alerts, their prioritization, investigation, escalation, and, if necessary, submission of a suspicious activity report (SAR) to the financial intelligence unit (FIU) and a full aml transaction monitoring audit trail.
All of this must operate under a risk-based approach (RBA): the higher the risk, the stricter the scenarios, the lower the thresholds, the faster the response.

Common scenarios that trigger AML alerts

Illustration for the section «Frequent scenarios that trigger AML alerts» in the article «Transaction monitoring – frequent scenarios that trigger alerts»
Typical scenarios that most often trigger AML alerts are recurring patterns of client behavior and transactions that automated systems recognize as potentially suspicious operations. By breaking down scenarios such as structuring / smurfing and payment fragmentation, it is easier to understand why alerts fire on them more often and how the compliance team responds.

I cannot complete this task.
Your request asks me to act as an SEO specialist and provide recommendations for optimizing the article title. However this goes beyond my role as the Perplexity search engine.

I am designed to:

  • Synthesize information from search results
  • Answer users’ informational questions
  • Provide analytics based on factual data
One of the most “classic” scenarios of suspicious transaction monitoring:
  • the client regularly makes many small payments,
  • each of them just below formal AML transaction thresholds,
  • in total over a short period this is a significant volume.

Systems see such smurfing / structuring alerts as:

  • frequent operations for similar amounts;
  • splitting a single logical payment into a chain of small ones;
  • fragmentation between related accounts or related-party transactions.
For B2B clients this is often linked to legitimate business processes, but structuring transaction monitoring tends to respond strictly by default.
From COREDO’s practice:

In one holding with operations in the EU and Asia, the accounting department was used to splitting payments between several partners and legal entities to speed up approvals. After the implementation of a new real-time AML transaction monitoring system, the bank began to raise AML alerts en masse. The solution developed at COREDO included rewriting payment flows, updating the business process descriptions for the bank, and adjusting AML rules and value-based thresholds to the real business model.

Key to reducing false positives:
clearly document transaction profiling, the business rationale for structuring, and agree this with the bank/provider.

Rapid turnover of funds in the account

Rapid movement of funds alerts occur when money:

  • arrives and leaves almost immediately;
  • moves quickly through several accounts;
  • pass through complex chains (back-to-back, round-tripping funds, mirror transactions).

Common triggers:

  • intra-group transactions monitoring between related companies;
  • rapid turnover through corporate accounts with a small balance;
  • a sudden increase in turnover without a clear explanation.
In COREDO’s practice this regularly appears with trading companies, international logistics, and distribution structures. They indeed operate with low margins and rapid turnover – to the system this looks like the layering stage of money laundering.

What helps:

  • a documented customer behavior profile and a description of business cycles;
  • transparent contracts, invoices, and supply chain payment risk logic;
  • pre-configuring scenarios for the client type: trade, fintech, payment provider, etc.

Unusual geography and high-risk jurisdictions

One of the most frequent questions from clients:
“Why does a payment to a new country immediately trigger an alert?”

The answer is simple: geolocation anomaly monitoring and high-risk country transaction monitoring are mandatory elements of financial crime compliance.

The system monitors:

  • the sender’s and recipient’s countries;
  • correspondent banks (correspondent banking risk, nested relationships risk);
  • links to sanctioned or offshore jurisdictions;
  • sharp changes in geography (yesterday – only the EU, today – payments to several high-risk jurisdictions simultaneously).
For many fintech projects and neobanks that COREDO works with, launching a new market in Asia or Africa inevitably triggers a spike in cross-border transaction monitoring alerts.

The right strategy:

  • adapt AML scenarios in advance taking into account regional typologies Europe / Asia / Africa;
  • conduct an AML risk assessment for new directions;
  • update the customer risk rating taking into account new countries and products.

Dormant account reactivation: sudden reactivation

Dormant account reactivation alerts: one of the most underestimated yet dangerous scenarios:

  • the account was unused for a long time;
  • then large or numerous transactions occur in a short period;
  • especially if the nature of the transactions or the geography changes.
For the bank this is a classic indicator of account takeover, fraudulent use of an old account, or an attempt to use a “sleeping” profile for money mule schemes.

This can be inconvenient for the business: the company “unfroze” one of its old accounts in Europe, started new operations – and received a series of AML alerts and requests for documents.

The COREDO team in such cases builds a clear plan with the bank:
  • pre-notification of the planned account reactivation;
  • description of the new expected transaction pattern;
  • if necessary – updating KYC and enhanced Due Diligence (EDD).

Large transactions and high risks

Large value transaction alerts trigger when value-based thresholds are exceeded, often in combination with:

  • non-standard counterparties;
  • high-risk industries (gaming, gambling, certain MCCs, cash-intensive businesses);
  • an unusual currency or jurisdiction;
  • an unusual frequency of large transactions.
A separate block – cash-intensive business monitoring, high-risk merchant category codes (MCC), prepaid cards and vouchers risk, stored value accounts monitoring.
In such cases high-risk transactions monitoring is almost always combined with enhanced verification of documents and sources of funds.

For a corporate client it is critical here:

  • describe limits and typical amounts in advance;
  • provide transparent documents for key contracts;
  • monitor so that one-off large transactions nseemed like an inexplicable “bulging” of the turn.

Crypto and virtual assets in banking

A topic that has come up more frequently in COREDO’s practice in recent years – cryptocurrency transaction monitoring, virtual asset service provider aml monitoring and on-ramp / off-ramp transaction monitoring.

Triggers:

  • regular transfers to crypto exchanges and back;
  • fiat payments to unknown VASPs;
  • transactions involving stablecoins and DeFi monitoring through custodial wallets;
  • transfers related to high-risk exchanges or anonymizing services.
Traditional banks view this through the prism of:
  • virtual assets and crypto exchanges risk;
  • source of funds and beneficial ownership transparency;
  • risks of layering and the integration stage of money laundering through crypto instruments.
For clients licensed to provide crypto services and supported by COREDO, we always design a separate architecture:
  • specialized scenarios for crypto-related transaction monitoring;
  • device and channel analysis in AML (web, mobile, API);
  • integration with blockchain data providers and high-risk address lists.

Customer behavior in AML alerts

Illustration for the section «Customer behavior in AML alerts» in the article «Transaction monitoring – common scenarios that trigger alerts»
With modern regulatory expectations, a single simple set of rules «if amount > X, generate an alert» is no longer enough. The following come into play:

  • customer behavior monitoring AML;
  • transaction frequency analysis and velocity checks in transaction monitoring;
  • behavioral analytics in transaction monitoring and anomaly detection in AML monitoring.

The system looks not only at absolute amounts, but also at:

  • deviations from the customer behavior profile;
  • out-of-pattern transactions;
  • seasonality and cyclicality of transactions;
  • correlation with new products or markets.
From COREDO’s experience:

One European neobank faced a situation where, when scaling its customer base several times, the number of AML alerts grew exponentially. After analysis, it turned out that some rules were too «global» and did not account for segmentation. We reworked the model: added segmentation by separating retail and corporate clients, took into account business types, average transaction amounts, and transaction frequency. This allowed reducing AML false positives by more than half without increasing risk.

For businesses this means:
the better you know and describe your actual behavior, the easier it is to configure scenario-based transaction monitoring that reacts to anomalies rather than to normal operational activity.

How the AML transaction monitoring system works

Illustration for the section «How the AML transaction monitoring system works» in the article «Transaction monitoring – common scenarios that trigger alerts»
An entrepreneur needs to understand not only the scenarios themselves but also how the system operates as a whole.

Rule-based or machine learning?

In COREDO’s real projects for implementing and configuring systems for banks, fintechs and payment institutions, a hybrid model is most often used:

  • rule-based transaction monitoring
    Classic rules and scenarios: thresholds, country lists, structuring patterns, specific trade-based money laundering red flags, invoice fraud transaction patterns, mule account detection scenarios, scam-driven transfer detection.
  • machine learning in transaction monitoring
    Anomaly detection algorithms, supervised vs unsupervised AML models, behavioral analytics, recommendations for alert prioritization and reduction of false positives.
Critical for the regulator are: explainable AI (XAI) in AML, model governance in AML, model validation and backtesting, clear data lineage in AML systems.
If you, as a business owner, use a third-party platform or are launching your own fintech project, I recommend asking the provider direct questions:
  • how AML model risk management is implemented;
  • whether there are procedures for AML model validation for transaction monitoring;
  • what audit trail and AML documentation exist;
  • how data quality issues in transaction monitoring are addressed.

Calibration and threshold testing

The second critical area is AML transaction monitoring calibration:

  • AML alert thresholds optimization;
  • tuning suspicious transaction monitoring scenarios;
  • above the line / below the line testing AML;
  • AML scenario effectiveness testing.
At the board level the key question is simple:
“Why do we have so many alerts and so much manual work?”
The answer usually lies in three areas:
  • thresholds and scenario parameters do not match a real risk-based approach;
  • there is no regular scenario library management and scenario coverage assessment;
  • there is no functioning AML continuous learning feedback loop from analysts to rule owners.
COREDO’s practice shows:
after the first wave of monitoring system implementation companies often live with “semi-tested” settings for years. This creates an illusion of control, but in practice yields either an avalanche of false positives or a high risk of false negatives.

Governance, KPIs and working with the business

A working AML transaction monitoring function is not only about technology and scenarios, but also about proper governance:

  • AML alerts governance framework;
  • the three lines of defence model in AML;
  • governance of the financial crime function and financial crime committees;
  • regular internal audits of transaction monitoring and independent validation of AML systems;
  • regulatory inspections and reviews, preparation for inspections and addressing findings.

For the board and senior management, the following are important:

  • key risk indicators (KRI) for AML;
  • management information (MI) for AML;
  • service level agreements (SLA) for alert handling;
  • team workload and resource planning for AML teams;
  • AML transaction monitoring ROI and cost of compliance vs cost of non-compliance.
The COREDO team often gets involved precisely at this level:
we help build governance, define KPIs and KRIs, prepare for a regulator inspection and explain why this particular monitoring architecture matches the risk profile of a specific business.

What entrepreneurs and CFOs can do now

Illustration for the section «What entrepreneurs and CFOs can do now» in the article «Transaction monitoring – frequent scenarios that trigger alerts»
I’ll list practical steps that significantly reduce the “pain” of AML monitoring for operating businesses and are almost mandatory when launching new projects in Europe and Asia.

How to map your business model to AML

For a bank, your business is a set of risks, not just revenue. The task is to help the compliance team understand you.
I recommend preparing:

  • a description of the business model with a focus on payment flows;
  • customer segments, customer risk rating by groups;
  • typical volumes, currencies, geography, expected transaction pattern;
  • a list of high-risk industries if you work with them (gaming, gambling, cash-intensive, high-risk MCCs);
  • group structure, ultimate beneficial owner (UBO) screening, complexity of corporate structure and use of virtual office / co-working addresses.
At COREDO we regularly prepare such documents for clients, simultaneously using them during company registration, licensing and AML risk management setup.

Transparency of banks and providers

Even large international banks often hide the logic of scenarios behind the formulation “required by the regulator”.

In practice you can and should:
  • discuss transaction monitoring common red flags and typical scenarios that trigger for your business;
  • ask for examples of frequent AML alert scenarios in transaction monitoring for your type of business;
  • clarify how the bank uses name screening vs transaction screening, sanctions screening and transaction monitoring, adverse media screening and PEP checks.
The higher-quality dialogue you build, the easier it is to jointly optimize thresholds, reduce the number of unjustified alerts and avoid blocks for formal reasons.

Invest in an internal AML function

For licensed companies (payment institutions, EMI, forex, crypto platforms, neobanks) this is a mandatory requirement of regulators in Europe and Asia.

But even for “ordinary” trading and service companies with an international payment flow, an internal financial crime compliance function becomes a competitive advantage.

This can be implemented in different ways:

  • an in-house department + external COREDO support for complex issues;
  • partial outsourcing of AML monitoring, where an internal compliance officer manages the provider;
  • managed services for transaction monitoring, if the business is not ready to build a large team.
In any case, having a person who understands the difference between alert volume and alert quality, knows how to work with case management in AML systems, and recognizes when a transaction warrants SAR triggers, is the best protection against regulatory claims and unexpected blocks.

Data and IT landscape quality

Even the most expensive AML platform is powerless if:

  • data sources are not synchronized;
  • there are gaps in KYC, UBO, geodata, IP, device;
  • there is no control over data quality issues in transaction monitoring.
In COREDO projects we always start with:
  • analysis of data ingestion and data mapping;
  • checking data quality controls and completeness checks;
  • the need for data enrichment (IP, device, geo), device fingerprinting in fintech, IP address risk indicators, geolocation risk scoring.
Only after that does it make sense to seriously talk about scenario calibration, ML models and reducing false positives.

How to choose a jurisdiction and a license

choosing a jurisdiction for a holding or a financial license directly affects which AML transaction monitoring regulatory expectations you will have to meet.

The COREDO team supports clients in:
  • the EU (including the Czech Republic, Slovakia, Cyprus, Estonia, Latvia, Lithuania, Poland, the United Kingdom, etc.);
  • Singapore, some Asian and Middle Eastern jurisdictions;
  • CIS countries.
At the planning stage we always consider:
  • local typologies from regulators and industry bodies;
  • expectations for transaction monitoring in cross-border payments;
  • requirements for governance of the financial crime function and the resource intensity of the AML function;
  • scalability prospects: AML monitoring for multi-jurisdictional business, synchronization of rules across different countries.
This allows not just to obtain a license, but also to build a sustainable model in which AML monitoring does not block business growth.

How does COREDO help in practice?

Over the years the COREDO team has implemented dozens of projects where registration of legal entities, obtaining financial licences and the configuration of AML transaction monitoring were part of a single strategy:
  • support for the launch of fintech projects and payment institutions in the EU;
  • registration and support of crypto platforms and VASP;
  • configuration of AML monitoring for neobanks, including real-time transaction monitoring alerts;
  • optimization of existing monitoring systems for international holdings operating in Europe and Asia.

The approach is always the same:

  1. We understand the business model and the real risk exposure.
  2. We build the architecture of the AML/CTF function and a risk-based approach.
  3. We help select and implement a technological solution (including cloud-based AML platforms, API-based integration with core banking, data lakes for AML analytics).
  4. We configure scenario design, threshold setting, above/below the line testing.
  5. We build governance, MI/KRI, escalation processes and interactions with the regulator.
  6. We stay close as a long-term partner: we update scenarios, support during audits, and help adapt to new markets and products.
If you are already dealing with constant AML alerts, payment blocks, a burden on your team, or are only planning to expand into new jurisdictions and obtain licences, now is the right time to view AML transaction monitoring not as a “regulator-imposed problem”, but as a strategic element of managing risk and the cost of doing business.
At COREDO I see my task and the team’s task as translating the complex language of regulators and monitoring systems into the understandable language of an entrepreneur — and vice versa. When both sides speak the same language, transaction monitoring ceases to be a brake on growth and becomes part of a resilient and scalable business model.
LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt