Transaction Monitoring Systems for High-Risk Payment Firms: Technology, Thresholds, and Escalation

Transaction monitoring is one of the most operationally intensive elements of AML compliance at a payment firm, and one of the most frequently criticised in FCA supervisory reviews. The challenge is not simply having a system — it is having a system calibrated appropriately for the firm's specific risk profile, with alert management processes that actually lead to timely, well-documented decisions. For high-risk payment firms serving iGaming, crypto, or FX broker clients, the bar is significantly higher than for standard retail payment businesses.

The Regulatory Basis

Regulation 19 of MLR 2017 requires payment firms to establish and maintain policies, controls, and procedures to identify and scrutinise unusual or complex transactions, including unusual patterns of transactions and transactions with no apparent economic purpose. This obligation translates in practice into an automated or semi-automated transaction monitoring system, calibrated against the firm's risk-based approach and updated regularly.

The FCA's Financial Crime Guide (FCG 3.2) provides further detail, noting that firms should have systems that monitor customer transactions on an ongoing basis, identify transactions inconsistent with the customer's profile, and generate alerts for human review. Critically, the FCA expects these systems to be proportionate to the firm's size, complexity, and risk profile — but it also expects high-risk firms to invest commensurately in sophisticated monitoring capability.

Technology Options

For most payment firms, transaction monitoring falls into one of three categories: rules-based systems, machine learning-based systems, or hybrid approaches.

Rules-Based Systems

Rules-based systems apply logical filters to transaction data — for example, flagging transactions above a defined threshold, or patterns such as round-number transactions, structuring below reporting limits, or unusual geographic combinations. Tools such as FICO TONBELLER, Actimize, or Oracle FCCM operate primarily in this mode. The advantage is auditability: every alert can be traced to a specific rule, which makes compliance documentation straightforward. The disadvantage is brittleness — rules must be manually updated as criminal typologies evolve, and sophisticated actors can learn to stay below rule thresholds.

Machine Learning Systems

ML-based systems analyse large datasets to identify anomalous patterns that may not correspond to any pre-defined rule. Vendors such as DataVisor, Feedzai, and Featurespace operate in this space. These systems can be highly effective at detecting novel typologies and reduce false positive rates compared to pure rules-based systems. However, they introduce explainability challenges — the FCA expects firms to be able to explain why a particular alert was generated and why a decision to file or not file a SAR was reached. Black-box ML outputs are increasingly scrutinised in supervisory reviews.

Hybrid Approaches

Most mature payment firms use a hybrid: rules-based monitoring for known typologies (sanctions hits, structuring, threshold-based alerts) supplemented by ML-based anomaly detection for pattern discovery. This provides both auditability and adaptability.

Threshold Calibration for High-Risk Firms

The calibration of monitoring thresholds is where many high-risk payment firms fail. There is no single correct threshold — it depends on the firm's client base, transaction volumes, and risk profile. For a payment firm serving iGaming operators processing thousands of transactions daily, a threshold of £10,000 per transaction may generate unmanageable alert volumes while missing structuring below that level. Equally, setting thresholds too low generates alert fatigue, where compliance staff dismiss alerts without adequate investigation because volumes are unmanageable.

The FCA expects firms to document their threshold rationale and review it at least annually, and whenever there is a material change to the client base or transaction mix. The firm should be able to demonstrate that threshold calibration has been informed by its ML or statistical analysis, not simply by what is operationally convenient.

Alert Management and Escalation

An alert management process must have defined SLAs — how quickly must an alert be reviewed by a first-line analyst; how quickly must an escalation reach the MLRO; and how quickly must a SAR decision be made. The FCA expects SARs to be filed promptly — the NCA guidance suggests filing within 7 days of suspicion forming, with immediate consent requests where the transaction has not yet been processed.

Alert disposition records are critical. For every alert that is closed without escalation, there must be a documented rationale. For every escalation that does not result in a SAR, there must be a documented explanation signed off by a suitably senior person. The FCA has criticised firms where alert closures are cursory or lack evidential basis.

Blockchain Analytics Integration

For payment firms with crypto exposure — either directly or through clients converting crypto to fiat — transaction monitoring must include blockchain analytics. Tools such as Chainalysis KYT, Elliptic Navigator, or TRM Labs provide transaction-level risk scoring for on-chain activity. These scores should feed into the firm's alert management process, not sit in a separate system. A crypto-to-fiat conversion that scores high risk on Chainalysis KYT but does not trigger an alert in the firm's core transaction monitoring system represents a significant control gap.

Testing and Validation

The FCA expects transaction monitoring systems to be tested regularly, including through scenario testing — confirming that known typologies would be detected by current rule configurations. Annual testing documentation, including the scenarios tested and results, should be retained and available for supervisory review. Firms that cannot demonstrate their system would have detected published financial crime typologies are at significant regulatory risk.