Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Risk-based transaction monitoring

Terri Luttrell, CAMS-Audit, CFCS
September 13, 2022
Read Time: 0 min

How to balance AML priorities 

Transaction monitoring is a critical component of a strong BSA program and a risk-based approach will allow for the best use of valuable resources. 

You might also like this risk assessment checklist for BSA/AML professionals.



Risk-based approach

Transaction monitoring: a BSA/AML cornerstone

In an economic and regulatory environment where compliance resources and budgets are stretched thin, financial institutions must carefully evaluate their priorities when it comes to their BSA/AML program. Currency transaction reports, enhanced due diligence reviews, board reporting, and suspicious activity monitoring are just a few of a BSA team’s responsibilities. All requirements of a risk-based BSA program are crucial to the safety and soundness of your institution, so what should banks and credit unions prioritize when resources are strained? 

Suspicious activity monitoring is the cornerstone of a strong BSA/AML reporting system. As stated by the Federal Financial Institutions Examination Council (FFIEC), transaction monitoring and reporting are critical to the United States’ ability to combat financial crime. Suspicious activity reports (SARs) assist law enforcement in deterring illegal activity, but financial institutions may wonder whether they are expected to detect and examine every unusual transaction that comes through their doors.  

The Financial Crimes Enforcement Network (FinCEN) and federal bank examiners understand that financial institutions can't detect all suspicious transactions, but solid policies, procedures, and processes must be in place to monitor higher-risk products, services, and customers’ entities, and geographies. This means that financial institutions’ suspicious activity monitoring systems must be risk-based and efficient.  

Individualized programs

Regulatory clarification on risk-based transaction monitoring

The risk-based focus is not a new philosophy, having long appeared in the FFIEC Exam Manual. In July 2019, regulatory bodies reinforced this idea in a joint statement that validated examiners’ use of tailored pre-examination request lists based on each bank’s risk profile, complexity, and planned examination scope. This is a powerful message to financial institutions for several reasons. The statement: 

  • recognizes the regulatory exam burden for financial institutions, 
  • emphasizes an individualized risk-focused approach for exams, and 
  • refocuses the regulatory agencies to consider banks’ unique risk profiles 


The statement also stresses that within an institution’s transaction monitoring processes: 

  • Scenario optimization should be risk-focused 
  • Riskier typologies should alert to tighter parameters 
  • Acceptance of certain risks should be accounted for and documented within policies and procedures 
  • Proper monitoring will validate the institution’s risk profile 


In July 2022, the FFIEC released a second joint statement emphasizing the risk-based approach to assessing customer relationships and customer due diligence. The statement reminds financial institutions that no customer type presents a single, uniform level of risk related to money laundering or terrorist financing. Without flexible transaction monitoring, a risk-based approach to CDD cannot be fully accomplished.   

Financial institutions have unique risks based on several factors, including size, customer profiles, and geographical locations. Suspicious activity monitoring is not one-size-fits-all. The institution’s risk assessment should be used as a road map of where the risks lie and where more resources such as software should be used. 

Remember, however, that a BSA department must have adequate staff as supported by an institution’s risk assessment. Examiners are not likely to accept slow investigations or late SARs due to budgetary constraints. FinCEN issued a Civil Money Penalty of $185 million to U.S. Bank for several BSA violations, including inadequate resources and “capping” of the number of alerts generated by the bank’s AML software. Recently, the cases of First IC Bank in Georgia and Oxford University Bank in Mississippi emphasize the continuing need for a strong culture of compliance, including the need for adequate risk-based transaction monitoring. 

If your financial institution does not have a supportive culture of compliance at the executive and senior management levels, it may be time to share these assessments and consent orders and encourage a change. If staffing is the more pressing issue, consider short or long-term staffing relief to ensure that your bank or credit union has the bandwidth to carry out its risk-based BSA initiatives.  

Get more BSA training on the latest fraud trends with this webinar

Watch Webinar

Sophisticated measures

Technological advances in transaction monitoring

System optimization, or parameter tuning, is critical for BSA/AML software to remain risk-based. Smaller institutions may be able to provide sound transaction monitoring with manual processes, while larger institutions may use a hybrid approach to suspicious activity monitoring. The FFIEC BSA Examination Manual agrees that the sophistication of monitoring systems should be dictated by institutions’ risk profiles. Several methods for initial identification of unusual activity may be used by financial institutions including:  

  • Employee identification (particularly front-line staff) 
  • Law enforcement requests (i.e. grand jury subpoena and National Security Letters) 
  • Information Sharing 314(b) requests 
  • Manual review of internal reports for unusual transaction activity  


In addition to the manual identification processes, surveillance monitoring by automated AML systems is becoming the expected norm for medium to large institutions. Another statement issued by FinCEN and the federal banking agencies encourages financial institutions to use innovative approaches to combating money laundering and terrorist financing, and artificial intelligence is one innovative alternative that is top of mind. Banks and credit unions are starting to use artificial intelligence, particularly machine learning, to streamline processes and manage compliance risks. 

After assessing a bank or credit union’s risk, BSA officers should develop procedures and tune their programs to support higher-risk products, services, customers, and geographies. Decide collectively with the Board of Directors and executive management what level of risk the institution is willing to accept. Be sure to document these decisions, which should be defended and supported by data used within the risk assessment. When the institution’s next examination time comes, be prepared with sufficient supporting documentation for risk-based decisions. Whether they are using AI, software, manual procedures, or a hybrid of methods, BSA professionals can look to regulatory guidance to prioritize areas of risk, use their resources wisely, and mitigate financial crime. 

Your institution is unique.
Your BSA/AML software should be, too.

keep me informed Learn more
About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.