Your business must have an appropriate risk-based transaction monitoring program to help your employees identify suspicious behaviours and transactions and to take steps to protect your business and customers.

A transaction monitoring program is integral to the effectiveness of your AML/CTF compliance because it helps your business to: 

• Identify, mitigate and manage money laundering and terrorism financing (ML/TF) risks. 
• Identify and report suspicious matters to AUSTRAC.
• Meet your ongoing customer due diligence (OCDD) and enhanced customer due diligence (ECDD) obligations. 

You must document how you monitor customer transactions in Part A of your AML/CTF program. Your transaction monitoring program must be based on your risk assessment of your business and define the processes you follow to identify suspicious customer transactions, including:

• unusually large transactions
• complex transactions
• the splitting of transactions to avoid TTR reporting obligations, known as ‘structuring’
• unexpected patterns of transactions that don’t seem to have a legitimate purpose.

How you monitor transactions and develop your program depends on the size of your business and your level of assessed ML/TF risk. Depending on the type, size and complexity of your business, your transaction monitoring program can be manual or automated. You should allocate appropriate resources and give priority to analysing and actioning alerts raised by transaction monitoring.

AUSTRAC expects that your transaction monitoring program has a proper governance framework and oversight with effective, sustainable and repeatable processes and controls. The transaction monitoring program must also be subject to regular independent review to ensure it remains appropriate and is used effectively.

Your transaction monitoring program

Your transaction monitoring program should:

• define the processes you follow to identify suspicious customer transactions
• document the systems, controls and procedures that mitigate and manage your ML/TF risks  
• capture all sources of customer and transaction data or information 
• set out systems and controls that trigger alerts for further review such as:
  • size, frequency or patterns of transactions that may indicate unusual or suspicious activity, including suspected fraud or identity theft
  • transactions that are sent to or received from a high-risk country or region
  • structuring of transactions to avoid TTR reporting obligations
  • payments that are sent to or received from a person or organisation on a sanctions list
  • activities that may be inconsistent with a customer's risk profile or history
  • increased monitoring of higher risk customers previously suspected of or investigated for potentially suspicious activity
  • other unexpected account activity from a customer which may indicate money laundering or terrorism financing
• implement processes to consistently review and manage the internal escalation and investigation of alerts
• prioritise alerts according to the level of risk
• document processes to consistently manage the reporting of potentially suspicious matters
• detail sufficient assurance processes to review the management of alerts
• continually monitor transactions across all levels of your business (not just by branch or venue)
• document processes with enough detail to be consistently applied
• document and audit any automated transaction monitoring processes.

How your processes work together to understand your customer’s ML/TF risk profile

You must use your information sources and processes to monitor the services you are providing to customers to identify, mitigate and manage ML/TF risks.

Applicable customer identification procedures (ACIP), transaction monitoring, ECDD, reporting and other information all contribute to a better understanding of your customers. Your processes and information sources must contribute to a single understanding of the customer and their risk profile, rather than operate or exist independently.

Transaction monitoring alerts must be considered against the customer’s history, including any information from law enforcement. You must ensure there is a central or accessible customer history for customer due diligence purposes.

For example, different teams in your business might hold information about a customer’s suspected connections to terrorism, transaction monitoring alerts, suspicious activity on the customer’s account and information from law enforcement about this customer.

You must have systems and controls in place so your business is able to easily and quickly combine this information, to give a comprehensive view of the customer’s ML/TF risks.

Review and assurance of your transaction monitoring program

Your transaction monitoring program must be applied to all designated services at all times. This means that you must implement risk-based systems and controls to monitor the transactions of your customers. Your transaction monitoring program must be supported by appropriate accountability and be regularly reviewed, to confirm that:

• processes are in place to make certain no disruptions to downstream AML/CTF processes occur when any changes are made to systems
• all systems changes that may potentially affect AML/CTF compliance require approval by relevant accountable senior management 
• all assurance processes are in place and AML/CTF processes are fully documented and mapped.

Transaction monitoring must be periodically reviewed to ensure it is operating as intended. Reviews must confirm that transaction monitoring is based on complete data, transaction monitoring rules remain appropriate and current and the program is used effectively. Automated transaction monitoring systems and program alerts need to incorporate any new methodologies, typologies or crime types.

Resolving any system issues must also receive adequate resourcing and priority. This should also be addressed from the time the failure or breakdown was identified to cover all past transactions.

Any problems identified must be addressed promptly. Failure to monitor transactions can have serious flow-on effects to other AML/CTF processes such as SMR reporting, conducting ECDD and the ongoing identification of ML/TF risks. 

Example 1: Identifying high-risk transactions across a network

SavingsBank provides financial services products to a large portfolio of customers. 

SavingsBank has a transaction monitoring program that monitors all customers to flag various behaviours. The flagged customer behaviours are linked to risks that were identified when SavingsBank recently updated their ML/TF risk assessment.

A criminal network uses the bank to facilitate their activities

Unbeknown to SavingsBank, a network of 12 criminals open new accounts with them. The criminals plan to receive a transfer of funds into their accounts, wait several days, and then transfer the funds to multiple overseas accounts.

SavingsBank’s risk assessment identified the overseas jurisdiction as high risk. As a result, they created alerts in their transaction monitoring program to flag individual customers transferring greater than $5,000 in a single transaction, or greater than $20,000 over a 28 day period, to that jurisdiction.

In an attempt to avoid detection, the criminals move no more than a total of $15,000 per month in small batches to the high risk jurisdiction. After several weeks, two members of the criminal network became more brazen and each transfer the full amount of $15,000 in one transaction.

Alerts are triggered in SavingsBank’s transaction monitoring program

This triggers an alert on SavingsBank’s transaction monitoring program, and following a further review, two SMRs were provided to AUSTRAC. However, the transaction monitoring program failed to identify patterns across the full criminal network’s activity.

Law enforcement had an interest in the network and after receiving the two SMRs, serves a notice on SavingsBank for further information. On examining the additional customers, SavingsBank were able to see the full activity of the network. As a result, SavingsBank provided a series of SMRs to AUSTRAC.

Addressing the limitations of SavingsBank’s transaction monitoring program

In this case, SavingsBank’s transaction monitoring program was limited to the risks posed by the individual customers transferring funds to the high risk jurisdiction and was not adequately identifying multiple customers sending funds to the same beneficiary or increasing frequency of transactions to the jurisdiction. It was unable to identify patterns across the network, which could have been revealed, for example, if the transaction monitoring program had been set up to appropriately deal with the risk that the jurisdiction presented.

As a result, SavingsBank reviewed the capabilities of their transaction monitoring program and made changes to ensure it was identifying patterns of behaviour not just at the individual level, but also at a business level.

Example 2: Identifying structuring using transaction monitoring

SavingsBank provides a range of products and services to a large customer base. Their transaction monitoring program monitors all customers to flag various behaviours, including structuring. The flagged behaviours are linked to risks identified in their ML/TF risk assessment.

A customer attends a branch to make a series of cash deposits into their personal account over two days:

• Monday – deposited cash of $7,500.
• Tuesday – deposited cash of $5,400 at 10:15 AM and returned later that day at 3 PM to make a further cash deposit of $6,000.

These transactions trigger a monitoring alert, which is reviewed to establish further information about the customer, including their transaction history. SavingsBank deems that these transactions could indicate structuring. SavingsBank undertakes enhanced customer due diligence and submits a suspicious matter report to AUSTRAC. 

The review also identifies a series of business accounts where the customer is a signatory. SavingsBank flags both the personal and business accounts for increased monitoring. 

The following Wednesday, the customer returns to the same branch and makes two further cash deposits of $8,000 and $4,000 respectively into two of these business accounts. 

SavingsBank’s transaction monitoring systems trigger an alert for these two transactions and a further review is conducted, which includes linking the previous week’s deposits by the customer. SavingsBank deems that these transactions are also suspected of involving structuring to avoid TTR reporting and undertakes enhanced customer due diligence on these accounts. SavingsBank submits a further suspicious matter report to AUSTRAC.