← Blog · Compliance
Transaction Monitoring: Tuning Rules to Reduce Alert Noise

Transaction monitoring is where a KYC program earns its keep after onboarding. The problem is scale: a mid-sized fintech can generate tens of thousands of alerts a month, and industry surveys routinely put false-positive rates above 90%. When analysts spend most of their time clearing noise, genuine suspicious activity slips through. Tuning is not a one-time project — it is an ongoing discipline that connects your customer risk data to the behavior you actually observe.
Start With Scenarios, Not Thresholds
A scenario describes a pattern of behavior you want to detect; a threshold is the numeric boundary that triggers it. Teams often invert this and start with round numbers pulled from a vendor template. Instead, define the typology first, then derive parameters from your own data.
- Structuring: multiple deposits just under a reporting threshold within a rolling window.
- Rapid movement: funds in and out within 24–72 hours with little balance retained.
- Dormancy reactivation: an account inactive for 6+ months that suddenly transacts at high volume.
- Peer deviation: activity that is 3x the median for the customer's segment.
Each scenario should map to a specific risk you have documented — sanctions evasion, mule networks, layering. If you cannot name the risk, you probably do not need the rule.
Calibrate Against Your Own Baseline
Effective thresholds come from segmentation. A remittance sender moving $400 weekly and a corporate treasury account moving $2M weekly should not share the same rule. Group customers by risk rating, product, geography, and expected activity captured at onboarding, then set thresholds per segment.
Run any proposed change against 3–6 months of historical data before deploying it. This above-the-line and below-the-line testing shows two things: how many alerts a new threshold would have generated, and how many previously cleared transactions a tighter setting would have caught. Document both the tested parameters and the rationale — examiners expect to see that thresholds were chosen deliberately, not left at defaults.
The quality of monitoring depends on the quality of the expected-activity data you collected. If onboarding captured a customer's anticipated volume, income source, and purpose, deviation rules have a reference point. Chat-based onboarding helps here: a structured conversation can record expected monthly turnover and counterparties as discrete fields rather than free text, giving the monitoring engine cleaner inputs and fewer spurious deviation alerts.
Build a Triage Model That Prioritizes
Not every alert deserves equal attention. A risk-based triage layer scores alerts so analysts work the highest-probability cases first.
- Weight alerts by customer risk rating and the number of scenarios triggered simultaneously.
- Auto-close low-value alerts that meet documented, tested criteria — with a full audit trail.
- Route high-risk hits to senior analysts and set service-level targets for review.
- Track disposition codes so you can measure which scenarios produce actionable SARs.
The metric that matters most is your conversion rate: alerts that become filed reports divided by total alerts. A scenario producing 2,000 alerts and zero reports over two quarters is a candidate for retuning or retirement, not an asset.
Govern, Document, and Retest
Tuning decisions must be governed like any control change. Maintain a model risk framework that records who proposed a threshold, what data supported it, who approved it, and when it takes effect. Review scenarios at least annually, and sooner when you launch a product, enter a market, or see a new typology in screening and monitoring output.
Retain the underlying transaction and alert data long enough to satisfy your regulator's recordkeeping period — commonly five years — but no longer than necessary, and apply access controls and encryption at rest. Configurable retention lets you honor investigation needs and privacy obligations at the same time. Well-tuned monitoring is not about generating fewer alerts for its own sake; it is about spending analyst hours where the real risk lives, and being able to prove why.
General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.