Transaction Monitoring: Detecting Suspicious Activity Under the AML/CTF Act

Transaction monitoring is a component of the ongoing customer due diligence obligation under the AML/CTF Act. Section 36 of the Act requires reporting entities to have in place a program for monitoring the business relationship with customers on an ongoing basis for the purposes of identifying, mitigating, and managing ML/TF risk.

The AML/CTF Rules elaborate on this: ongoing monitoring must include monitoring of transactions undertaken for the purpose of identifying whether the transactions are consistent with the reporting entity's knowledge of the customer and their source of funds, and for the purpose of identifying and reporting suspicious matters.

The "consistent with knowledge" standard is important. Transaction monitoring is not just about detecting individually suspicious transactions — it is about detecting transactions that are inconsistent with what the entity knows about the customer. A customer who stated at onboarding that they are a salaried employee receiving regular monthly payments into their account would raise questions if they suddenly start receiving multiple large cash deposits or making international transfers to high-risk jurisdictions. Neither transaction may be individually suspicious; together and in context, they indicate a change in risk profile requiring investigation.

The obligation applies to all reporting entities, though the appropriate implementation varies significantly with the entity's business model, transaction volumes, and customer risk profile. A small remittance provider processing a few dozen transactions per day can conduct manual transaction review. A digital currency exchange processing thousands of trades per hour cannot — automated monitoring is essential.

Transaction monitoring rules are the automated logic that flags transactions or customer behaviour patterns for review. Effective rule design starts with AUSTRAC's published typologies — documented patterns of transaction behaviour that are consistent with known money laundering or terrorism financing methods.

Structuring is one of the most common and important typologies. It involves deliberately breaking up transactions into multiple smaller amounts to avoid the $10,000 threshold that triggers a Threshold Transaction Report. Structuring rules typically flag: multiple cash transactions from the same customer within a defined period (e.g., 7 days) that individually fall below $10,000 but collectively exceed it; transactions of just below round-number thresholds (e.g., $9,800, $9,950) that suggest the customer is aware of the reporting threshold; and repeated transactions at the same amount just below the threshold.

Velocity rules detect unusual activity volume. A customer who normally transacts twice per week suddenly sending 20 transactions in a single day represents an anomaly that warrants investigation. Velocity rules compare current transaction frequency against the customer's historical baseline and flag deviations above a configured threshold.

High-risk jurisdiction rules flag transactions involving counterparties in jurisdictions on FATF's grey or black list, DFAT-sanctioned countries, or the entity's own high-risk country list. These transactions don't necessarily indicate suspicious activity, but they warrant additional scrutiny.

Dormancy-activity patterns — where a customer account that has been inactive suddenly receives or sends significant funds — are a classic layering indicator. A dormant account suddenly receiving a large deposit and immediately transferring it elsewhere suggests the account may have been established specifically for layering purposes.

Round-dollar patterns — repeated transactions in exact round amounts — can indicate automated payment systems moving fixed sums, which is sometimes associated with organised crime payment schemes.

The quality of a transaction monitoring program is measured not just by the alerts it generates, but by the quality of those alerts. A program that generates thousands of alerts per day, the vast majority of which are false positives, is worse than useless — it creates alert fatigue that causes analysts to miss genuine suspicious activity buried in the noise.

Calibration is the ongoing process of adjusting rule thresholds and parameters to optimise the ratio of genuine suspicious activity to false positives. Calibration starts with backtesting: running proposed rules against historical transaction data to see how many alerts they would have generated and what percentage would have been actionable. Rules that generate too many false positives against historical data need threshold adjustment before deployment.

Customer segmentation improves calibration quality. Transaction patterns that are suspicious for a retail customer may be entirely normal for a business customer with high transaction volumes. Applying the same rules without customer segment differentiation produces poor results. Different rule sets and thresholds for different customer segments significantly reduce false positive rates.

Ongoing calibration after deployment involves: tracking the false positive rate for each rule (alerts reviewed and closed as non-suspicious divided by total alerts), reviewing rules with high false positive rates for threshold adjustment, monitoring for alert fatigue indicators (analysts closing alerts too quickly, declining investigation quality), and periodically reviewing whether the rule set still reflects AUSTRAC's current typology guidance.

AUSTRAC's expectation is not maximum alert volume — it is quality financial intelligence. An entity that files a small number of well-researched, genuinely suspicious SMRs provides more intelligence value than one that files high volumes of poor-quality reports generated by poorly calibrated monitoring. Calibration is both a compliance obligation and a practical efficiency measure.

Every transaction monitoring alert must be investigated. The AML/CTF Act requires that suspicious matters be reported — and a suspicious matter is one where the entity "has reasonable grounds to suspect" that an activity may be related to ML/TF. That reasonable grounds determination requires an actual investigation, not just a flag.

The investigation process typically involves several steps. The analyst reviews the customer's profile: their risk tier, the stated purpose of the relationship, their historical transaction patterns, any prior monitoring activity or SMRs. They then review the specific transactions that triggered the alert, placing them in the context of the customer's overall transaction history.

Where the alert context is insufficient to make a determination, the analyst may need to review additional information: the customer's business registration documents, publicly available information about their business, transaction counterparty information, ASIC data for corporate customers. In some cases, additional information may be requested from the customer — though this must be done carefully given the tipping-off prohibition if an SMR has been filed or is being considered.

The investigation outcome is one of: close without action (the transaction is explained by the customer's normal business activities and the alert was a false positive); monitor (the transaction warrants continued attention but is not yet sufficiently suspicious to justify an SMR); escalate to SMR (reasonable grounds to suspect exist and an SMR must be filed).

Every investigation must be documented. The alert record should show: who investigated the alert and when, what information was reviewed, the conclusion reached and the reasoning, and the action taken. Undocumented investigations are as problematic as no investigations — AUSTRAC cannot assess the quality of a monitoring program if the investigations leave no record.

The tipping-off offence under section 123 of the AML/CTF Act prohibits disclosing to any person information that would or could reasonably be expected to prejudice a law enforcement investigation. In the transaction monitoring context, this has important practical implications.

When a transaction monitoring alert leads a compliance analyst to suspect that a customer is engaged in money laundering, the analyst must not ask the customer questions that indicate the customer is under investigation. Asking a customer "why did you deposit $9,800 three times this week?" when the reason for the question is a structuring alert would be tipping off — it tells the customer that their transaction pattern has been identified as suspicious.

This creates a genuine operational challenge. Analysts often need additional information to determine whether an alert is a false positive or genuine suspicious activity. The AML/CTF Rules allow reporting entities to request information from customers in the course of ongoing KYC — for example, for the purpose of updating a periodic review. But requests must not be framed in a way that reveals the existence of an investigation or alert.

The practical guidance is: frame any customer inquiry as a routine KYC or account management matter. "As part of our periodic account review, we'd like to understand the nature of your recent transactions" is acceptable. "We've noticed several transactions just below $10,000 that have triggered our monitoring system" is not.

Where a decision has been made to file an SMR, no further contact with the customer should occur regarding the relevant transactions until the SMR has been filed and AUSTRAC has had the opportunity to act on the intelligence.