Free video course
10 AML Transaction Monitoring Rules Every Compliance Team Needs
A structured course on the ten fundamental AML rules that form the backbone of any automated transaction monitoring program, with real threshold examples, calibration pitfalls, and a practical self-audit framework.
▶ Start the course
What you’ll learn
- ✓ Name the ten AML rule categories that every automated monitoring program should include as a baseline
- ✓ Explain the configuration parameters that make each rule effective, including lookback windows, threshold bands, and profile filters
- ✓ Identify calibration pitfalls and false-positive risks for each rule type
- ✓ Apply a self-audit framework to evaluate whether your organization's current ruleset covers these fundamentals
Before you start
- □ Basic familiarity with AML compliance obligations and why regulated entities must have controls in place
- □ Some exposure to financial transactions or banking products such as deposits, payments, or cryptocurrency exchanges
Course curriculum
- 01 How to detect structuring and account-integrity red flags in transaction monitoring Learn how structuring detection rules work and why PII changes before a large payment signal account takeover or layering in AML monitoring. Structuring exploits reporting thresholds by splitting transactions into amounts just below the regulatory limit. A well-calibrated rule searches for multiple transactions in a narrow band below your jurisdiction's threshold within a defined lookback window. PII changes before a large outbound payment present two distinct risks: account takeover by a third party and layering by the account holder. · Structuring rules should target a transaction value band just below your reporting threshold, not all sub-threshold amounts.· PII changes immediately before a large payment are a dual signal: they can indicate account takeover or ongoing layering.· Every regulated entity must calibrate baseline rules to its own business model, geography, and customer base. 4 min · checkpoint
- 02 How AML rules detect unusual spending patterns, merchant collusion, and disproportionate fund flow Learn how to design AML rules for unusual customer spending patterns, low buyer diversity in merchant accounts, and disproportionate credit-to-debit ratios. Unusual spending rules compare account activity against customer profile attributes rather than static thresholds, making rule clusters more effective than single rules. Low buyer diversity targets merchant accounts where funds cycle between a limited group of counterparties, a hallmark of collusion. Disproportionate flow-through alerts when credit and debit totals are suspiciously close, which is unusual for most business account types. · Unusual spending rules are most powerful when tied to customer profile attributes like income level and occupation, not just absolute transaction amounts.· Low buyer diversity rules should exclude new merchants in a ramp-up period to avoid penalizing legitimate business growth.· Disproportionate flow-through is especially suspicious for business accounts that primarily collect payments, where high debit totals have no obvious commercial explanation. 3 min · checkpoint
- 03 How AML rules monitor high-risk country transactions, rapid fund movement, and suspicious cash activity Understand how AML rules flag transactions involving high-risk jurisdictions, immediate withdrawals, and cash patterns inconsistent with customer profiles. High-risk country rules need continuous maintenance as the geopolitical landscape shifts. FATF updates and national regulatory guidance are the primary inputs. Immediate withdrawal rules target the rapid in-out pattern characteristic of accounts used purely as pass-throughs. Cash rules are most effective when combined with profile attributes such as occupation and expected transaction behavior, rather than applied as flat amount filters across all customers. · High-risk country rules are only as good as their maintenance schedule. A list not refreshed in 12 months is a compliance liability.· Immediate withdrawal patterns should be assessed against the full account context, including the counterparty receiving the funds and whether any business relationship exists.· Cash alerts generate the most actionable intelligence when correlated with customer occupation and expected cash usage, not applied as a blanket amount filter. 3 min · checkpoint
- 04 How AML rules detect dormant account reactivation and crypto-to-fiat money laundering Learn how AML monitoring rules flag dormant account reactivation linked to suspicious activity and frequent crypto-to-fiat conversions that indicate layering. Dormant account rules fire when unusual activity appears on accounts that have been inactive for a defined period. The most compelling signals combine reactivation with high-risk geographic exposure or a sudden change in transaction volume. Crypto-to-fiat conversion rules address the layering technique of cycling funds between virtual assets and fiat currency, often in small amounts that individually fall below reporting thresholds but collectively represent significant volume. · Dormant account alerts gain investigative value when combined with a second signal, such as transactions to high-risk countries or an unusual transaction type not seen in the account's prior history.· Crypto-to-fiat conversion rules should monitor cumulative value over a window, not just individual transaction amounts, to catch layering through multiple small conversions.· These ten rules represent a starting point. An effective program continuously reviews rule performance and adds rules as new typologies emerge. 3 min · checkpoint
Frequently asked questions
Are these ten rules sufficient on their own to meet regulatory requirements?
No. These rules form a recommended baseline, not a complete monitoring program. Your jurisdiction, business model, and risk appetite will require additional rules tailored to your specific context. Think of these ten as the floor, not the ceiling. A thorough program also includes rules for sector-specific typologies, enhanced due diligence triggers, and controls aligned to the guidance your regulator has published.
How often should AML transaction monitoring rules be reviewed and updated?
At a minimum, annually, but in practice you should review rules whenever your business model changes, when a new typology emerges, or when regulators update published guidance. High-risk country lists require near-real-time maintenance because FATF publishes jurisdiction assessments up to three times per year, and national regulators often issue their own supplementary guidance between those updates.
What is the difference between a single AML rule and a rule cluster?
A single rule fires on one specific pattern, such as a transaction above a defined amount. A rule cluster combines multiple rules that each detect a component of a broader scheme. For unusual spending patterns, a cluster approach is usually more effective because it allows you to combine behavioral signals from different dimensions, such as amount, frequency, counterparty, and geography, reducing false positives while improving detection precision.
Why do structuring rules target a band just below the reporting threshold rather than all transactions below it?
The band captures intentional threshold-avoidance. A structuring rule set at, say, 90 to 99 percent of your reporting threshold targets transactions that are suspiciously close to but just under the limit, which is the characteristic behavior of someone deliberately avoiding a reporting obligation. Covering all sub-threshold transactions would generate an enormous volume of low-quality alerts with no meaningful pattern to investigate.