Automated transaction monitoring is not one-size-fits-all. Risk exposure depends on your institution's business model, the geographies it operates in, the products it offers, and the customers it serves. Despite this variation, a core set of rules addresses money laundering schemes that appear repeatedly across regulated institutions. Regulators expect documented evidence that those baseline rules exist, are calibrated to the firm's risk profile, and are actively maintained. This chapter introduces why that foundation matters and examines the first two detection patterns every program should deploy.
Chapter 1 of 4 · 4 min
How to detect structuring and account-integrity red flags in transaction monitoring
Learn how structuring detection rules work and why PII changes before a large payment signal account takeover or layering in AML monitoring.
TL;DW
Structuring exploits reporting thresholds by splitting transactions into amounts just below the regulatory limit. A well-calibrated rule searches for multiple transactions in a narrow band below your jurisdiction's threshold within a defined lookback window. PII changes before a large outbound payment present two distinct risks: account takeover by a third party and layering by the account holder.
Auto-skips a sponsor segment (0:11 to 0:47). The full video keeps them.
Structuring is the deliberate splitting of a larger sum into multiple transactions, each designed to stay just below a regulatory reporting threshold. To detect it, your rule must aggregate transactions within a specific value band over a defined lookback window. The band should be set just below your jurisdiction's reporting threshold, not across all sub-threshold amounts, to reduce noise and target true threshold-avoidance behavior. Without that precision, ordinary low-value transactions generate alert volume that overwhelms investigators and dilutes the quality of every review queue.
When an account holder updates personally identifiable information shortly before making a significant outbound payment, the timing creates a detectable pattern. This rule should fire whenever a PII modification and a large payment occur within a defined window. The alert requires investigator judgment because two very different risk scenarios can produce the same signal, and distinguishing them requires reviewing the full account context: the beneficiary, the account's prior transaction history, and whether the account holder can confirm both the update and the payment.
Key terms
- Structuring
- The deliberate splitting of transactions into amounts below a reporting threshold to avoid a regulatory filing obligation, also called smurfing.
- Reporting threshold
- The transaction amount above which a financial institution must file a regulatory report, such as a Currency Transaction Report in the US at $10,000.
- PII (Personally Identifiable Information)
- Data that can identify a specific individual, such as name, address, date of birth, or national identification number.
- Layering
- The second stage of money laundering, in which the origin of funds is obscured by moving money through multiple accounts, transactions, or jurisdictions.
Key takeaways
- Structuring rules should target a transaction value band just below your reporting threshold, not all sub-threshold amounts.
- PII changes immediately before a large payment are a dual signal: they can indicate account takeover or ongoing layering.
- Every regulated entity must calibrate baseline rules to its own business model, geography, and customer base.
Watch out
- Setting the structuring detection window too short, such as a single day, will miss the typical pattern, which often spans several weeks.
- Legitimate PII changes generate false positives. Consider adding a minimum payment size and a precise time-gap parameter before the alert fires.
Check your understanding
What are the two key parameters that define an effective structuring detection rule?
The value band below the reporting threshold, set to capture transactions suspiciously close to but just under the limit, and the lookback window over which multiple such transactions are aggregated. Together they identify the repeated pattern that characterizes deliberate structuring, as opposed to a customer who simply prefers smaller transactions for legitimate reasons.
A customer updates their home address and, two days later, initiates a $45,000 overseas transfer. What are the two risk scenarios an investigator should consider?
First, account takeover: a criminal who obtained account access changed the address to redirect authentication alerts before moving funds. Second, layering by the legitimate account holder: the PII change was made to obscure the audit trail for an ongoing laundering scheme. The investigation should examine the account's full transaction history, the beneficiary of the transfer, and whether the account holder can be contacted to confirm both the address change and the payment.
Unlocks when you finish the chapter.