Overwhelmed or Empowered?: Rethinking Rule-Based Transaction Monitoring

Wadeeha Jackson

Solutions Architect

Derek McDaniel

Solutions Architect

Background: The Struggle with Transaction Monitoring

Transaction monitoring (TM) has been a thorn in the side of financial institutions for years. Because how do you catch the most most criminal activity, at the lowest cost, at a rate that keeps your investigators from burning out, and in a way that gives you the best picture of what is happening in your institution? Not an easy task.

During a recent conversation between Hummingbird and a longstanding and well-established financial institution, their Chief AML Officer reported that they are moving away from rule-based TM solutions. They are done, the officer said, with rules that trigger alerts based on what the industry has traditionally called red flags. As they report it, their current system is loaded with junk alerts, that “[make] analysts numb to suspicious activity”, and generate “analyst [alert] fatigue”. The officer found that they could decommission several rules and see little to no effect on the number of Suspicious Activity Reports (SARs) the company filed. This fact was clear proof of ineffective transaction monitoring – a problem that wouldn’t be so pervasive were the system simply capable of generating higher quality alerts.

Or would it? Is the answer really better alerts? Are we even asking the right questions? Let’s back out a bit to see more.

Rule-based transaction monitoring exists to help financial institutions meet their regulatory requirements, because rules can be tailored to the very risk indicators that regulators and examiners are looking for. They are easily produced, repeatable, and auditable. Furthermore, their subsequent alerts fall into generally recognizable patterns, which makes the time to work them easier to calculate. Financial institutions – and particularly compliance departments – love solutions with calculable returns on investment.

Imagining the “Perfect” Transaction Monitoring Solution

Now, let’s imagine for a moment that someone built a TM solution that had a rule for every money laundering and terrorist financing red flag out there. And let’s imagine that those red flags extended across every industry, and that each red flag generated a subsequent alert for review.

What kind of volume of alerting might such a system produce?

Well, let’s consider for a moment just the United States’ financial intelligent unit – the Financial Crimes Enforcement Network (FinCEN). FinCEN has published 185 advisories (excluding alerts, notices, and other differentiated bulletins). Assuming a conservative estimate of 10 red flags per FinCEN advisory, and assuming a 20% loss due to duplicative red flags across advisories, that’s still a minimum of 1,480 potential rules running every hour, of every day, on every transaction, across every customer, at a single financial institution.

This is what a theoretical, peak-performance rule-based TM solution would look like. And it would bury a compliance program.

So while it’s theoretically possible to build a hyper-optimized TM system that captures the bulk of money laundering trends out there, it seems, at the end of the day, like such a system would be ineffective on a practical level. Even the ideal “golden” TM system would still be plagued with unreasonable volumes, false positives, and contribute to unhelpful SARs.

It’s worth asking the question then – why is this the case?

The Limitations of Strictly Rule-Based Approach

In our opinion, the reason why not even peak TM solutions can solve these systemic issues is because rule-based TM solutions limit their focus to a single thing: transactions. Rule-based transaction monitoring systems can only generate alerts based on the transactions that fit their logic. They cannot adapt to nuances, they do not account for context, and they have to be constantly updated, monitored for effectiveness, and deprecated as needed. In short, rule-based TM solutions are rigid – they lack the ability to contextualize. The system’s logic has no way to differentiate between a pizza delivery worker receiving out-of-state drug money and a college kid far from home receiving support money from concerned relatives.

Furthermore, rule-based TM solutions only highlight a single financial crime indicator. This means that, left untrained, investigators are at risk of developing the bad habit of only investigating single issue trends; they’ll never level up their skills beyond the intelligence granted by the alert. With transaction monitoring rules capturing simple or single-increment money laundering trends, this means investigators are more likely to miss more sophisticated money laundering schemes. A good investigator looks at the alert and digs deeper. But a highly stressed and pressured investigator will necessarily seek out the shortest route to a determination, generally a suspicious one, because it’s easier to call something suspicious than justify why it’s not. This means falling back on simple alert intelligence, and producing SARs that are limited in their utility to law enforcement.

The Stats Tell the Story

There’s ample evidence to support this thesis. Let’s look at some FinCEN SAR stats by way of example. In 2022, just over 2.9M SARs were filed by financial institutions. Of those 2.9M, 1.4M listed a filing reason related to anti-money laundering efforts. Keeping in mind that SARs can contain more than one filing reason, almost all of those 1.4M anti-money laundering SARs explained their creation by way of the same four reasons: 1.) suspicious source of funds, 2.) suspicious EFT/wires, 3.) out of pattern transactions, and/or 4.) transactions with no apparent economic, business, or lawful purpose.

That’s right – the same four reasons are listed as rationale for the vast majority of money laundering linked SARs filed in 2022. What’s more, it’s important to note that these are all reasons that any rule-based TM system would be able to flag with little input from a human. Given the sheer number of SARs involved (as well as the financial institutions they represent), you would think that there would be a greater variety and specificity explaining why these reports were filed. After all, we talk all the time about the endless ways and means criminals use to attempt to launder illicit funds through the financial system. Yet less than 1% of all SARs filed in 2022 were given these more specific, more actionable labels, such as bribery/gratuity/corruption, embezzlement or related theft, human smuggling, human trafficking, etc.

Surely there must be more than four standard approaches being caught in our net. If our SARs aren’t capable of providing more basic detail on these suspicious activities, what value does the human intelligence involved provide?

Perhaps not as much as you might have hoped.

An Overwhelmed, Not Irresponsible, Investigator

It’s important to note that these SARs are not being filed by bad investigators. They are being filed by overwhelmed investigators at the mercy of rule-based TM systems designed to spit out the lowest common denominator of unusual activity, pumping out red flags like an out-of-control tennis ball machine.

It’s an unfortunate truth that the combination of unmanageable alert volumes and constant pressure to reduce backlogs teaches investigators to prioritize expediency over accuracy. It’s what creates alert fatigue, and diminishes their ability to make nuanced – but all important – distinctions in activity. It’s a huge problem, because if all we needed were indicators then there would be no need for investigators.

Yet we know these two things to be true: that there must be a human-in-the-loop for quality compliance work, and that investigators need something automated to tell them where to find unusual activity.

A New Approach to Transaction Monitoring

It’s out of the struggle to bring these two forces into balance that customer-centric transaction monitoring (also known as behavioral transaction monitoring) has emerged.

This approach focuses on understanding the typical behavior of individual customers or customer segments. Instead of simply inserting a hard-and-fast, universally applied “rule,” it establishes a baseline for normal behavior and then identifies deviations from that baseline, which may indicate suspicious activity.

By understanding the typical behavior of customers, this approach helps reduce false positives, as it considers context and historical patterns. Additionally, with customer-centric monitoring, it becomes more possible to identify money laundering networks without consuming extensive investigator resources on the front-end. When the behavior of a group of individuals and businesses deviates from the norm, and those individuals and businesses are linked by shared transactions, a financial institution can form a reasonable belief that they may have a money laundering network. And while implementing customer-based monitoring requires more continuous monitoring than traditional, rule-based methods, a hybrid approach – one that combines elements of both customer-based and rule-based monitoring systems – can optimize a compliance program by capitalizing on the strengths of each.


At the beginning of this post, we recounted a recent conversation we’d had with a longstanding financial institution. The Chief AML Officer had expressed their frustration with transaction monitoring systems. As a business, they are now moving to a hybrid approach – pairing a TM solution with a program designed to continuously assess and reassess customer focused risk. With the analysis and insights this program provides, the compliance team creates targeted monitoring based on monitoring and verified customer activity, rather than relying on the yes/no boilerplate of rules-engines.

As a compliance platform designed for modular interoperability, Hummingbird shines as a central hub for integrated systems such as the one described above. Our automations can take the raw outputs of traditional rule-based TM alerts, and create something more intelligent. Our programmable workflows use constant validation checks to keep investigators from the mind-numbing task of cross-checking actions against procedures. We help teams derive insights faster and allow investigators to pursue cases more efficiently (and with fresher minds!) through our toolbox integrations.

The life of an investigator is never easy – the search for suspicious activity requires constant vigilance. But tools and methods should empower the work, not inhibit it. We believe that – just as there are new and better ways for doing things (such as transaction monitoring) there are new and better tools out there helping support the all important work of fighting financial crime.

Stay Connected

Subscribe to receive new content from Hummingbird