AML Transaction Monitoring in 2026: Technology, Rules, and Regulatory Expectations

Transaction monitoring is the operational core of AML compliance. KYC gets you the customer profile. Sanctions screening catches known bad actors. But transaction monitoring is what catches the unknown — the patterns of behaviour that indicate money laundering, terrorist financing, or other financial crime that wouldn't be apparent from a single transaction or a customer's onboarding documents.

This guide covers how banks and fintechs should architect their TM systems in 2026, what regulators expect, and where the most common failures occur.

TM System Architecture: Rules vs Machine Learning

Rule-Based Systems

Traditional TM systems operate on predefined rules — if-then logic that generates alerts when transaction patterns match suspicious criteria. Common rule types include:

• Threshold rules: Transactions above a specified amount (e.g., cash deposits exceeding €15,000, wire transfers above €50,000 to high-risk jurisdictions)
• Velocity rules: Multiple transactions within a time window (e.g., more than 5 cash deposits in 7 days, rapid movement of funds through multiple accounts within 24 hours)
• Structuring detection: Transactions just below reporting thresholds (e.g., multiple deposits of €9,900 to avoid the €10,000 CTR threshold)
• Behavioural deviation: Activity inconsistent with the customer's profile (e.g., a retail customer suddenly receiving wire transfers from shell companies in high-risk jurisdictions)
• Network rules: Circular fund flows, rapid pass-through transactions, or counterparty patterns suggesting layering

Rule-based systems are well-understood, auditable, and explainable — regulators can review the rules and understand why an alert was generated. The limitation is that they only detect patterns you've explicitly defined. Novel laundering typologies that don't match existing rules go undetected.

Machine Learning Models

ML-based TM systems use algorithms to identify anomalous patterns without predefined rules. Common approaches include:

• Supervised learning: Models trained on historical SAR data to predict which transactions are likely suspicious. Requires labelled training data (known suspicious vs. known legitimate transactions).
• Unsupervised learning: Anomaly detection models that identify outlier behaviour without training labels. Useful for detecting previously unknown typologies.
• Graph/network analysis: Models that analyse transaction networks to identify suspicious structures — circular flows, rapid fan-out/fan-in patterns, community detection in transaction graphs.
• NLP for SAR narrative analysis: Natural language processing applied to SAR narratives and case notes to identify patterns and improve typology coverage.

The EBA and FATF have both endorsed the use of ML in TM, with caveats: ML models must be explainable (the compliance officer must understand why a specific alert was generated), validated (backtested against known outcomes), and governed under the firm's model risk management framework. The EU AI Act adds a further layer — AML TM models used in law enforcement contexts may qualify as high-risk AI systems under Annex III.

Alert-to-SAR Conversion: The Key Metric

The alert-to-SAR conversion rate — the percentage of TM alerts that result in a SAR filing — is the most scrutinised TM metric. Industry benchmarks vary by institution size and risk profile, but generally:

A very high conversion rate can be as problematic as a very low one — it may indicate that the TM system is only catching obvious cases while missing more subtle patterns. Regulators look for a reasonable rate accompanied by evidence that the system's typology coverage is adequate.

Tuning Methodology

TM systems require ongoing tuning — adjusting thresholds, adding new rules, refining ML model parameters, and retiring ineffective scenarios. A robust tuning methodology includes:

• Above-the-line testing: Analysis of alerts generated to assess false positive rates, detection effectiveness, and alert quality by scenario
• Below-the-line testing: Analysis of transactions that did not generate alerts to assess whether the system is missing suspicious activity (false negatives). This typically involves sampling non-alerted transactions and reviewing them for potential suspicion indicators.
• Threshold optimization: Statistical analysis to determine optimal thresholds that balance detection sensitivity with false positive rates
• Typology gap assessment: Regular review of FATF typology reports, FIU publications, and internal SAR data to identify laundering patterns not covered by existing rules
• Tuning governance: Formal approval process for threshold changes, with documented rationale, impact analysis, and post-change monitoring

AMLA: The New EU AML Authority

The EU Anti-Money Laundering Authority (AMLA), established under the 2024 EU AML Package, became operational in mid-2025 with its seat in Frankfurt. AMLA's mandate includes direct supervision of a select number of high-risk obliged entities (initially 40 institutions across the EU), development of binding regulatory technical standards for AML/CFT compliance, and coordination of national FIUs and AML supervisors.

For transaction monitoring specifically, AMLA is expected to publish harmonised guidance on TM system requirements, minimum typology coverage expectations, and SAR quality standards. This will create a single supervisory standard across the EU — replacing the current patchwork of national approaches.

SAR Quality: What FIUs Actually Want

Filing a SAR is not the end of the process — it's the beginning of law enforcement's process. FIUs have consistently flagged poor SAR quality as a systemic problem. High-quality SARs include: a clear narrative explaining why the activity is suspicious (not just "unusual transaction"), specific details (dates, amounts, counterparties, account numbers), the customer's profile and how the activity deviates from expected behaviour, links to other suspicious activity or customers, and supporting documentation (transaction records, KYC documents, correspondence).

2026 Enforcement Trends

AML enforcement in 2026 is characterised by several trends:

• TM adequacy enforcement: Regulators are increasingly fining institutions not for the absence of TM, but for TM systems that don't work effectively — stale rules, poor tuning, excessive false positives masking real suspicious activity
• De-risking scrutiny: FATF continues to monitor de-risking (terminating relationships with entire categories of customers or jurisdictions) as a compliance shortcut that undermines financial inclusion. TM systems must be sophisticated enough to manage risk without wholesale exclusion.
• FATF grey list impact: Countries on the FATF grey list face enhanced scrutiny. Financial institutions with significant exposure to grey-listed jurisdictions must demonstrate enhanced TM capabilities for those transaction flows.
• Crypto-fiat interfaces: TM systems must now cover crypto-fiat transaction flows — on-ramp and off-ramp activity, exchange interactions, and DeFi protocol interactions where applicable.

"The purpose of transaction monitoring is not to generate alerts. It's to detect financial crime. If your TM system generates 50,000 alerts per month and your team can only investigate 5,000, you don't have a detection system — you have a lottery."

For related compliance topics, see our guides on sanctions compliance, crypto AML, ISO 31000 risk management, and the RegTech vendor selection guide for TM platform evaluation.