AML transaction
monitoring

Monitoring is where the AML framework most often exists on paper but not in practice, and it is exactly what the SRO auditor tests hardest. It means watching activity against the onboarding baseline on risk-based rules, then resolving every flag through a clarification routine into either a cleared file or an MROS report. We design the rules to your risk and build the routine that makes monitoring genuinely function.

Marcus AltenburgMarcus Altenburg, Managing Partner Published Updated
At a glance

Every flag resolved — cleared or reported.

Risk-based rules, real clarification, documented conclusions.

Basis
Risk-based, against onboarding profile
Each alert
Clarified, then cleared or escalated
Escalation
MROS where suspicion remains
Record
Documented conclusion every time
Tested by
The SRO auditor, hardest
From alert to conclusion
The essentials

What transaction monitoring requires

Under the Anti-Money Laundering Act, a financial intermediary must monitor client activity for transactions that are unusual or potentially linked to money laundering. Monitoring runs on risk-based rules that flag activity against the onboarding profile, and a routine that clarifies each flag and resolves it: cleared with a documented explanation, or escalated to MROS where suspicion remains. It is live oversight, not a static file, and it is the part of the framework auditors test most rigorously.

Who this is for

  • financial intermediaries subject to ongoing monitoring duties;
  • firms whose monitoring exists on paper but not in practice;
  • businesses drowning in false positives or generating no alerts;
  • intermediaries that have had monitoring findings at audit.

Where it fits

Monitoring reads from the onboarding baseline, runs under the policy framework, and its quality is judged at the SRO audit.

The routine

From alert to conclusion

Every flag has to reach a documented end. The routine is what an auditor traces to decide whether monitoring is genuine or decorative.

The alert-resolution routine (Switzerland, as of June 2026).
StageWhat happens
FlagRisk-based rule alerts on unusual activity
ClarifyExplanation sought from client or file
ClearDocumented if the explanation holds
EscalateTo MROS if suspicion remains

The failure modes are an alert left open, an alert dismissed without reason, or a system that auto-clears everything. Each is an audit finding. The discipline is simple to state and hard to run: every flag clarified, every conclusion documented, escalation where clarification fails. We build the routine so that discipline actually holds.

How it runs

Building the monitoring

Calibrate the rules to the firm’s risk, build the human routine, document everything, and tune over time.

  1. Step 1

    Calibrate the rules

    Designing risk-based rules to the firm’s risk assessment, products, client profiles and geographies, sharp, not generic.

  2. Step 2

    Alert-handling routine

    Building the clarification-and-documentation process that resolves each flag to a clear conclusion.

  3. Step 3

    Escalation path

    The route from unresolved suspicion to a decision and, where required, an MROS report.

  4. Ongoing

    Run & document

    Operating the monitoring with a documented conclusion for every alert, ready for audit.

  5. Periodic

    Tune the rules

    Reviewing and refining the rules so they keep catching real risk without burying it in false positives.

Budget

What it costs

Monitoring is scoped to volume and risk: a low-transaction fiduciary is lighter than a high-volume payment or crypto business needing tuned rules and frequent escalations. The rule design and routine are a build; running and resolving alerts is part of the ongoing function.

We scope and quote against transaction volume and risk profile. Pricing is on request.

Discuss your monitoring
What you need

What monitoring requires

Monitoring that genuinely functions rests on:

  • risk-based rules calibrated to the firm’s risk assessment and clients;
  • a reliable onboarding baseline to measure activity against;
  • a clarification routine that resolves every flag;
  • a documented conclusion (cleared or escalated) for each alert;
  • an escalation path to an MROS decision where suspicion remains.

A system that flags everything sees nothing

Firms sometimes equate more alerts with better monitoring, and set rules so broad that staff face hundreds of meaningless flags. The result is alert fatigue: real signals are lost in noise, alerts are cleared in bulk without genuine review, and the firm is worse off than with sharper rules. Equally, rules so loose they never fire leave the firm blind. Good monitoring is calibrated: tight enough to catch real risk, sharp enough that each alert deserves attention. We tune the rules to that balance, because both extremes fail the audit and the purpose.

Why Goldblum

Monitoring, and what it involves

Monitoring is the part of the framework most often weak and most heavily tested. Designing rules that are sharp and a routine that resolves every flag is the compliance work that keeps a firm authorised and banked.

Calibrated

Sharp, not blind or noisy

Risk-based rules tuned to the firm’s actual risk, catching real activity without burying it in false positives.

Resolved

Every flag reaches a conclusion

A clarification routine that clears or escalates each alert with documentation, the trail an auditor follows.

Operational

Real, not on paper

Monitoring that genuinely functions day to day, built to survive the audit that tests it hardest.

Related

What monitoring connects to

Front door

KYC & onboarding

The baseline monitoring measures against: who the client is, what the relationship is for, the expected profile.

KYC & onboarding
Annual

SRO audit preparation

The audit that tests whether monitoring is real: alerts generated, clarified, resolved and documented.

SRO audit preparation
High-risk sector

Crypto & digital assets

The Travel Rule and VASP-specific monitoring duties crypto intermediaries carry on top of the standard framework.

VASP AML
FAQ

Transaction monitoring: FAQ

01What is AML transaction monitoring?
Transaction monitoring is the ongoing watching of a client's activity against the profile established at onboarding, to detect transactions that are unusual, inconsistent with the relationship, or potentially linked to money laundering. It runs on risk-based rules that flag activity for review, and a process that either clears the flag with a documented explanation or escalates it. Monitoring is the duty that turns a static client file into live oversight, and it is one of the first things an SRO auditor tests, because it is where many frameworks are weakest.
02What does 'risk-based' monitoring mean?
It means the intensity of monitoring matches the risk a relationship presents, rather than treating every client the same. A higher-risk client (flagged at onboarding for a PEP connection, a complex structure or a high-risk geography) is watched more closely, with tighter thresholds, than a low-risk one. The rules are calibrated to the firm's risk assessment and client base, not bought off the shelf. Risk-based monitoring is both required and practical: it concentrates attention where the risk actually is, instead of drowning the firm in irrelevant alerts.
03How are monitoring alerts handled?
Each alert is reviewed and resolved through a defined routine: understand what the transaction is, seek clarification from the client or the file where needed, and then either clear it with a documented explanation that makes sense, or escalate it because it does not. The discipline is that every alert reaches a documented conclusion (cleared or escalated) and none is left open or dismissed without reason. The clarification-and-documentation routine is what an auditor follows to test whether monitoring is real. We build it so alerts are genuinely resolved, on the record.
04When does a flagged transaction become an MROS report?
When clarification cannot dispel a suspicion. If, after seeking an explanation, the firm knows or has reasonable grounds to suspect the assets are linked to money laundering, a predicate offence, a criminal organisation or terrorist financing, it must report to the Money Laundering Reporting Office Switzerland (MROS). The decision turns on whether the clarification resolves the concern or not. The monitoring routine exists to bring flagged activity to that decision point cleanly: cleared if explained, reported if not. We build the escalation path to MROS into the process.
05What makes a good set of monitoring rules?
Rules calibrated to the firm's actual risk and client base, catching genuinely unusual activity without generating so many false positives that real alerts are lost in noise. Generic rules either miss the firm's specific risks or flag everything, and both fail. Good rules reflect the products, the client profiles, the geographies and the transaction patterns the firm actually sees, and are reviewed and tuned over time. We design the rules to the firm's risk assessment and refine them, so monitoring is sharp rather than either blind or overwhelmed.
06What records must monitoring produce?
A documented trail for each alert: what was flagged, the clarification sought and obtained, and the conclusion, cleared with reasons, or escalated. For escalations, the basis of the suspicion and any MROS report. These records are what the SRO auditor examines to judge whether monitoring functions, and what protects the firm by showing it took flagged activity seriously. Monitoring without documentation is, for audit purposes, monitoring that did not happen. We build the routine so every alert leaves a clear, defensible record.
07Can transaction monitoring be automated?
The detection can be substantially automated (rule-based or system-driven flagging scales far better than manual review) but the resolution of each alert requires human judgement: understanding the transaction, weighing the clarification, and deciding whether suspicion remains. Tooling generates the alerts; a qualified person clears or escalates them. A system that auto-clears alerts without judgement is not compliant monitoring. We design the rules for the tooling and the human routine for the resolution, so the two work together.
08How does monitoring connect to onboarding?
Monitoring measures activity against the baseline onboarding established: who the client is, what the relationship is for, the expected transaction profile. Without a proper onboarding baseline, monitoring has nothing meaningful to compare against and either flags everything or nothing. The two are one system: strong onboarding makes monitoring precise, weak onboarding makes it useless. We design monitoring to read from the onboarding baseline, so a flag means a genuine departure from what was expected for that client.
09What happens if monitoring is weak at an SRO audit?
Weak monitoring is among the most common and most serious audit findings, because it is where the AML framework most often exists on paper but not in practice. An auditor will test whether alerts are generated, reviewed, clarified and resolved with documentation, and a firm that cannot show this faces findings, remediation requirements and, in serious cases, risk to its SRO membership and banking. Because monitoring is so often the weak point, getting it genuinely operational is one of the highest-value parts of the framework. We build it to pass that test.
10What does Goldblum do on transaction monitoring?
We design the risk-based monitoring rules calibrated to the firm's risk assessment and client base, build the alert-handling and clarification routine that resolves each flag into a cleared file or an MROS escalation, and set up the documentation that makes monitoring auditable. We tune the rules over time to keep them sharp, and connect monitoring to the onboarding baseline so alerts are meaningful. The aim is monitoring that genuinely functions, and survives the audit that tests it hardest.

Is your monitoring real or on paper?

Tell us your products and client base. A partner designs risk-based monitoring rules and an alert-handling routine that resolves flags cleanly — cleared or reported — and survives audit.