The most dangerous payment scams do not always look suspicious. Sometimes, they look efficient.

A customer scans a QR code at a shop counter, enters the amount, and completes the payment in seconds. There is no failed transaction, no login alert, no obvious red flag. Everything works exactly as it should. Except the money does not go to the merchant. It goes somewhere else. That is the core risk behind the BSP’s recent warning on “quishing,” including cases where a legitimate merchant QR code may be altered, tampered with, or placed over by another code so payments are redirected to a scammer’s account.

At one level, this sounds like a classic consumer-awareness issue. Check the code. Verify the source. Be careful what you scan. All of that is true. But stopping there misses the bigger point. In the Philippines, QR payments are no longer a novelty. They are part of a broader digital payments ecosystem that has scaled quickly, with digital retail payments accounting for 57.4 percent of monthly retail transaction volume, while QR Ph continues to serve as the national interoperable QR standard for participating banks and non-bank e-money issuers.

That changes the conversation.

Because once QR payments become normal, QR fraud stops being a side story. It becomes a payment-risk issue, a merchant-risk issue, and increasingly, a fraud-and-AML issue wrapped into one.

Why this scam matters more than it first appears

What makes QR code scams so effective is not technical sophistication. It is behavioural precision.

Fraudsters do not need to break into a banking app or compromise a device. They simply exploit trust at the point of payment. A sticker placed over a legitimate merchant code can do what phishing links, fake websites, and spoofed calls often try much harder to achieve: redirect money through a transaction the customer willingly authorises. The BSP warning itself highlights the practical advice consumers should follow, including checking whether a QR code appears altered, tampered with, or placed over another code before scanning. That guidance is telling in itself. It signals that physical manipulation of QR payment points is now a live concern.

For professionals in compliance and fraud, that should immediately raise a harder question. If the payment is customer-authorised and the beneficiary account is valid, what exactly is the institution supposed to detect?

The answer is not always the payment instruction itself. It is the pattern surrounding it.

A scam built for a real-time world

The Philippines has spent years building a more interoperable and inclusive digital payments landscape. QR Ph was developed so a common QR code could be scanned and interpreted by any participating bank or non-bank EMI, making person-to-person and person-to-merchant payments easier across providers. That is good infrastructure. It reduces friction, supports adoption, and brings more merchants into the formal digital economy.

But reduced friction has a downside. It also reduces hesitation.

In older payment settings, there were often natural pauses. A card terminal, a manual account check, a branch interaction, a payment slip. QR payments compress that journey. The customer sees the code, scans it, and moves on. That is the whole point of the experience. It is also why this scam is so well suited to modern payment habits.

Criminals have understood something simple: if a system is built around speed and convenience, the easiest place to attack is the moment when people stop expecting to verify anything.

How the QR code scam typically unfolds

The mechanics are almost painfully straightforward.

A fraudster identifies a merchant that relies on a visible static QR code. That could be a stall, a café, a small retail counter, a delivery collection point, or any setup where the code is printed and left on display. The original code is then covered or replaced with another one linked to a scammer-controlled account or a mule account.

Customers continue paying as usual. They do not think they are sending money to an individual or a different beneficiary. They think they are paying the merchant. The merchant, meanwhile, may not realise anything is wrong until expected payments fail to reconcile.

At that point, the payment journey has already begun.

Funds start landing in the receiving account, often in the form of multiple low-value payments from unrelated senders. In isolation, these do not necessarily look suspicious. In fact, they may resemble ordinary merchant collections. That is what makes this scam harder than it sounds. It can create merchant-like inflows in an account that should not really be behaving like a merchant account at all.

Then comes the real risk. The funds are moved quickly. Split across other accounts. Sent to wallets. Withdrawn in cash. Layered through secondary recipients. The initial fraud is simple. The downstream movement can be much more organised.

That is where the scam begins to overlap with laundering behaviour.

Why fraud teams and AML teams should both care

It is easy to classify QR code payment scams as retail fraud and leave it there. That would be too narrow.

From a fraud perspective, the problem is payment diversion. A customer intends to pay a merchant but sends funds elsewhere.

From an AML perspective, the problem is what happens next. Once diverted funds begin flowing into accounts that collect, move, split, and exit value quickly, institutions are no longer looking at a single fraudulent payment. They are looking at a potential collection-and-layering mechanism hidden inside legitimate payment rails.

This matters because the scam does not need large values to become meaningful. A QR fraud ring does not need one massive transfer. It can rely on volume, repetition, and velocity. Small payments from many victims can create a steady stream of illicit funds that looks unremarkable at transaction level but far more suspicious in aggregate.

That is why the typology deserves more serious treatment. It lives in the overlap between fast payments, mule-account behaviour, and low-friction laundering.

The detection challenge is not the scan. It is the behaviour after the scan.

Most legacy controls were not built for this.

Traditional monitoring logic often performs best when something is clearly out of character: an unusually large transaction, a high-risk jurisdiction, a sanctions hit, a known suspicious counterparty, or a classic account takeover pattern. QR scams may present none of those signals at the front end. The customer has not necessarily been hacked. The payment amount may be ordinary. The transfer rail is legitimate. The receiving account may not yet be watchlisted.

So the wrong question is: how do we detect every suspicious QR payment?

The better question is: how do we detect an account whose behaviour no longer matches its expected role?

That is a much more useful lens.

If a newly opened or low-activity account suddenly begins receiving merchant-like inbound payments from many unrelated individuals, that should matter. If those credits are followed by rapid outbound transfers or repeated cash-out behaviour, that should matter more. If the account sits inside a broader network of linked beneficiaries, shared devices, repeated onward transfers, or mule-like activity patterns, then the case becomes stronger still.

In other words, the problem is behavioural inconsistency, not just transactional abnormality.

Why this is becoming a real-time monitoring problem

This scam is particularly uncomfortable because it plays out at the speed of modern payments.

The BSP’s own digital payments reporting shows how mainstream digital retail payments have become in the Philippines. When money moves that quickly through interoperable rails, institutions lose the luxury of treating suspicious patterns as something to review after the fact. By the time a merchant notices missing collections, an operations team reviews exceptions, or a customer dispute is logged, the funds may already have been transferred onward.

That shifts the burden from retrospective review to timely pattern recognition.

This is not about flagging every small QR payment. That would be unworkable and noisy. It is about identifying where a stream of seemingly routine payments is being routed into an account that starts exhibiting the wrong kind of velocity, concentration, or onward movement.

The intervention window is narrow. That is what makes this a real-time problem, even when the scam itself is physically low-tech.

The merchant ecosystem is an exposed surface

There is also a more uncomfortable operational truth here.

QR-based payment growth often depends on simplicity. Merchants, especially smaller ones, benefit from static printed codes that are cheap, easy to display, and easy for customers to use. But static codes are also easier to tamper with. In some environments, a fraudster does not need cyber capability. A printed overlay is enough.

That does not mean QR adoption is flawed. It means the ecosystem carries a visible attack surface.

The BSP and related QR Ph materials have consistently framed QR Ph as a way to make digital payments interoperable and more convenient for merchants and consumers, including smaller businesses and users beyond traditional card acceptance footprints. That inclusion benefit is real. It is also why institutions need to think carefully about what fraud controls look like when convenience extends to low-cost, visible, physically accessible payment instruments.

In plain terms, if the front-end payment instrument can be tampered with in the real world, then the back-end monitoring has to be smarter.

What better monitoring looks like in practice

The right response to this typology is not a flood of rules. It is a better sense of account behaviour, role, and connected movement.

Institutions should be asking whether they can tell the difference between a genuine merchant collection profile and a personal or mule account trying to imitate one. They should be able to examine how quickly inbound funds are moved onward, whether those patterns are sudden or sustained, whether counterparties are unusually diverse, and whether linked accounts show signs of coordinated activity.

They should also be able to connect fraud signals and AML signals instead of treating them as separate universes. In a QR diversion case, the initial trigger may sit with payment fraud, but the onward flow often sits closer to mule detection and suspicious movement analysis. If those two views are not connected, the institution sees only fragments of the story.

That is where stronger case management, behavioural scoring, and scenario-led monitoring become important.

And this is exactly why Tookitaki’s positioning matters in a case like this. A typology such as QR payment diversion does not demand more noise. It demands better signal. It demands the ability to recognise when an account is behaving outside its expected role, when transaction velocity starts to look inconsistent with ordinary retail activity, and when scattered data points across fraud and AML should really be read as one emerging pattern. For banks and fintechs dealing with increasingly adaptive scams, that shift from isolated alerting to connected intelligence is not a nice-to-have. It is the difference between seeing the payment and seeing the scheme.

A small scam can still reveal a much bigger shift

There is a tendency in financial crime writing to chase the dramatic case. The million-dollar fraud. The cross-border syndicate. The major arrest. Those stories matter, but smaller scams often tell you more about where the system is becoming vulnerable.

This one does exactly that.

A QR code replacement scam is not flashy. It is not technically grand. It may even look mundane compared with deepfakes, synthetic identities, or complex APP fraud chains. But it tells us something important about the current payments environment: fraudsters are increasingly happy to exploit trust, convenience, and physical access instead of sophisticated intrusion. That is not backward. It is efficient.

And for institutions, efficiency is exactly what makes it dangerous.

Because if a criminal can redirect funds without stealing credentials, without breaching an app, and without triggering an obvious failure in the payment experience, then the burden of defence shifts downstream. It shifts to monitoring, behavioural intelligence, and the institution’s ability to recognise when a legitimate payment journey has produced an illegitimate result.

Conclusion: the payment worked, but the control failed

That is the real sting in this typology.

The payment works. The rails work. The customer experience works. What fails is the assumption underneath it.

The BSP’s recent warning on quishing should be read as more than a consumer caution. It is a signal that as digital payments deepen in the Philippines, some of the next fraud risks will come not from breaking the payment system, but from quietly misdirecting trust within it.

For compliance teams, fraud leaders, and risk professionals, the lesson is clear. The problem is no longer limited to whether a transaction was authorised. The harder question is whether the institution can recognise, early enough, when a transaction that looks routine is actually the first step in a scam-and-laundering chain.

That is what makes this worth paying attention to.

Not because it is dramatic.

Because it is plausible, scalable, and built for the exact kind of payment environment the industry has worked so hard to create.

Every time money moves through a bank or fintech, there is an underlying question: does this activity make sense for this customer?

That, in simple terms, is what transaction monitoring is about.

It helps financial institutions track customer activity, spot unusual behaviour, and identify patterns that may point to money laundering, fraud, terrorist financing, or other forms of financial crime. For banks, payment firms, e-wallets, remittance providers, and digital lenders, it has become one of the most important parts of a modern compliance programme.

In APAC, this is not optional. Regulators expect institutions to monitor customer activity on an ongoing basis and take action when something looks suspicious. And as payments become faster, more digital, and more interconnected, the stakes are only getting higher.

This guide explains what transaction monitoring is, how it works, why it matters, and what is changing in 2026 as the industry moves beyond legacy rules-only systems.

What Is Transaction Monitoring?

Transaction monitoring is the process of reviewing customer transactions to identify activity that looks unusual, inconsistent, or potentially suspicious.

In practice, that means analysing transactions such as transfers, deposits, withdrawals, card payments, wallet activity, remittances, or trade-related payments to see whether they fit the customer’s expected profile and behaviour. When something does not fit, the system raises an alert for further review.

This matters because financial crime rarely announces itself through one obvious transaction. More often, it appears through patterns. Funds move too quickly. Activity suddenly spikes. Transactions are split into smaller amounts. Money flows through accounts that do not seem to have any real business purpose. Individually, these actions may not seem remarkable. Together, they can tell a very different story.

It is also worth separating transaction monitoring from transaction screening, because the two are often confused. Screening checks transactions or customers against sanctions, watchlists, or other restricted-party lists. Monitoring looks at behaviour over time and asks whether the activity itself appears suspicious. Both are important, but they serve different purposes.

Why Is Transaction Monitoring Required?

At its core, transaction monitoring is how financial institutions turn AML policy into day-to-day action.

Regulators may not expect firms to stop every illicit transaction in real time, but they do expect them to have systems and controls that can identify suspicious activity in a consistent, risk-based, and defensible way. That is why transaction monitoring sits at the centre of AML and CFT compliance across markets.

The exact wording differs from country to country, but the expectation is broadly the same: if an institution handles customer funds, it must be able to monitor customer behaviour, identify unusual activity, and investigate or report it where necessary.

Across APAC, this expectation is reflected in the regulatory approach of major jurisdictions.

In Australia, AUSTRAC expects reporting entities to maintain systems and controls that help identify and manage money laundering and terrorism financing risk.

In Singapore, MAS Notice 626 requires banks to implement a risk-based transaction monitoring programme and review its effectiveness over time.

In Malaysia, Bank Negara Malaysia expects reporting institutions to carry out ongoing monitoring of customer activity using a risk-based approach.

In the Philippines, BSP rules require covered institutions to maintain monitoring capabilities that can generate alerts for suspicious activity and support STR filing.

In New Zealand, the AML/CFT framework similarly expects reporting entities to conduct ongoing due diligence and identify unusual transactions for possible reporting.

Without transaction monitoring, compliance remains largely theoretical. Institutions may have policies, onboarding checks, and customer risk assessments, but they still need a way to identify suspicious activity once the customer relationship is active.

How Does Transaction Monitoring Work?

A transaction monitoring system usually follows a straightforward flow, at least on paper. It pulls in data, applies detection logic, generates alerts, and supports investigation and reporting. The complexity lies in how well each of those steps works in practice.

1. Data ingestion

The first step is collecting transaction data from across the institution’s systems. This may include core banking transactions, payment rails, card activity, wallets, remittances, trade payments, and other channels.

Some institutions monitor in batch, meaning data is processed at intervals. Others monitor in real time. Increasingly, firms need both. Real-time detection matters for fast payments and fraud-related use cases, while batch monitoring still plays a role in broader AML analysis.

2. Detection and risk scoring

Once the data is available, the system applies scenarios, rules, thresholds, and sometimes machine learning models to identify activity that may require attention.

This is where typologies come into play. The system may look for patterns such as structuring, sudden spikes in transaction activity, rapid movement of funds across accounts, unusual transfers to higher-risk jurisdictions, or behaviour that simply does not match the customer’s known profile.

Some systems rely mostly on static rules. Others use a mix of rules, behavioural analytics, anomaly detection, and machine learning. The goal is always the same: distinguish activity that deserves a closer look from activity that does not.

3. Alert generation and investigation

When a transaction or behavioural pattern breaches a threshold or matches a suspicious pattern, the system generates an alert.

That alert then goes to an investigator or compliance analyst, who reviews it in context. They may look at the customer’s historical activity, onboarding data, linked counterparties, peer behaviour, geography, and previous alerts before deciding whether the activity is suspicious enough to escalate.

4. Reporting and audit trail

If the institution concludes that the activity is suspicious, it files the relevant report with the regulator or financial intelligence unit.

Just as important, it keeps a record of what was reviewed, what decision was taken, and why. That audit trail matters for internal governance, regulatory exams, and later reviews of monitoring effectiveness.

The process sounds simple enough, but the quality of outcomes depends heavily on the quality of data, the quality of monitoring scenarios, and the institution’s ability to manage alert volumes without overwhelming investigators.

Rules-Based vs AI-Powered Transaction Monitoring

For a long time, transaction monitoring was built mainly on rules.

If a customer deposited more than a defined amount, transferred money too frequently, or sent funds to a high-risk geography, the system generated an alert. This approach made sense. Rules were easy to understand, easy to explain, and reasonably easy to implement.

The problem is that rules do not adapt well.

Criminal behaviour changes quickly. Static thresholds do not. Over time, many institutions found themselves stuck with monitoring programmes that produced large volumes of alerts but limited real insight. Teams spent too much time clearing low-value alerts, while more complex patterns could still slip through.

That is where AI-supported monitoring has started to make a real difference.

Modern platforms still use rules, but they also add machine learning, behavioural analytics, and anomaly detection to better understand customer activity. Instead of only asking whether a threshold has been breached, they ask whether the behaviour itself looks unusual in context.

That shift matters because it improves more than just detection. It improves prioritisation. A stronger system helps compliance teams focus on genuinely higher-risk activity instead of drowning in noise.

For institutions dealing with high transaction volumes, instant payments, and growing cost pressure, that is not a nice enhancement. It is quickly becoming a practical necessity.

Key Transaction Monitoring Scenarios and Typologies

Transaction monitoring scenarios are the detection logic that drives alert generation. Here are the most common typologies that TM systems are configured to detect:

Structuring or smurfing
This happens when a customer breaks a large transaction into smaller amounts to avoid thresholds or scrutiny. Repeated deposits just below a reporting threshold are a classic example.

Layering
Here, funds are moved quickly across accounts, products, or jurisdictions to make the source of funds harder to trace. The key signals are often speed, complexity, and lack of a clear economic reason.

Mule account behaviour
Mule accounts often receive funds and move them out almost immediately. On the surface, the activity may not look dramatic. But the pattern, velocity, and counterparties often reveal the risk.

Round-tripping
This involves funds leaving an account and returning through a chain of related transactions, giving the appearance of legitimate movement while concealing the true source or purpose.

Trade-based money laundering
This often involves manipulating invoices, shipment values, trade documentation, or payment structures to move value under the cover of trade activity.

Unusual cash activity
Cash remains one of the oldest and most important risk indicators. A sudden surge in cash deposits from a customer with no clear reason for that activity should always prompt closer review.

Strong monitoring programmes do not treat these as isolated flags. They combine them with customer profile, geography, counterparty behaviour, and historical activity to form a more complete picture.

Common Challenges With Transaction Monitoring

Transaction monitoring is essential, but it is also one of the hardest parts of AML compliance to get right.

The first problem is volume. Legacy systems often generate too many alerts, and many of those alerts turn out to be low value. That creates fatigue, slows investigators down, and makes it harder to focus on truly suspicious behaviour.

The second issue is fragmented data. A customer may look one way in the core banking system, another in cards, and another in digital payments. If those views are not connected, monitoring can miss the bigger picture.

The third challenge is that typologies evolve faster than static rules. Criminals adapt their methods quickly. Monitoring systems that rely on stale logic often struggle to keep up.

Cross-border activity adds another layer of difficulty, especially in APAC. Institutions often operate across multiple jurisdictions, each with different reporting expectations, risk exposures, and regulator demands. Managing all of that with siloed systems creates real operational strain.

Then there is the issue of backlog. When alert volumes rise faster than investigative capacity, reviews get delayed. In some cases, that can put institutions under pressure to meet regulatory timelines for suspicious transaction reporting.

This is why the conversation has shifted. It is no longer just about whether a system can detect suspicious activity. It is also about whether it can do so efficiently, explainably, and in a way that teams can actually manage.

What to Look for in a Transaction Monitoring Solution

When institutions evaluate transaction monitoring technology, the question should not simply be whether the system can generate alerts. Almost every system can.

The better question is whether it can help the institution detect better, investigate faster, and adapt to new risks without constant manual rebuilding.

A few capabilities matter more than others.

Real-time monitoring is increasingly important because many risks, especially in fraud and faster payments, move too quickly for overnight review cycles.

Strong typology coverage matters because institutions need scenarios that reflect the products, geographies, and threats they actually face, not just generic red flags.

AI and machine learning support matter because rules alone are rarely enough in high-volume environments.

False positive reduction matters because too much alert noise increases costs without improving outcomes.

Explainability matters because investigators, compliance leaders, auditors, and regulators all need to understand why an alert was raised and how a decision was made.

Regulatory fit matters because the system must support the reporting and compliance requirements of the markets in which the institution operates.

Integration capability matters because monitoring is only as good as the data it can access.

In short, the best solutions are not just technically powerful. They are practical, adaptable, and built for how compliance teams actually work.

Transaction Monitoring in 2026: The AI Shift

The biggest shift in transaction monitoring over the past few years has been the move away from rules-only systems toward hybrid models that combine rules, machine learning, and more contextual risk analysis.

This shift is especially visible in APAC, where financial crime is increasingly cross-border, digital, and fast-moving. Institutions are dealing with higher transaction volumes, new payment rails, more sophisticated criminal typologies, and constant pressure to do more with leaner compliance teams.

That is why AI is no longer being treated as a future-looking add-on. For many institutions, it is becoming a practical response to a very real operational problem.

But the real story is not that AI replaces rules. It does not. The stronger model is hybrid. Rules still matter because they provide structure, governance, and explainability. AI matters because it helps institutions adapt, identify patterns that static logic may miss, and prioritise alerts more intelligently.

Collaborative intelligence is also becoming more relevant. In a region where criminal networks operate across borders, institutions benefit when detection is informed by more than just what one firm has seen on its own. This is why approaches such as federated learning are gaining attention. They allow institutions to benefit from broader intelligence without exposing raw customer data.

Final Thoughts

Transaction monitoring is no longer just a technical control sitting quietly in the background.

It has become a core part of how financial institutions protect themselves, their customers, and the wider financial system. The fundamentals are still the same: know the customer, understand expected behaviour, and identify activity that does not make sense.

What has changed is the scale and speed of the challenge.

In 2026, effective transaction monitoring depends on more than static thresholds and legacy rules. It depends on context, adaptability, and the ability to separate real risk from operational noise.

Institutions that get this right will not just strengthen compliance. They will build sharper operations, make better risk decisions, and be better prepared for the next wave of financial crime.

Every time a customer sends a payment, makes a withdrawal, or moves money between accounts, a question needs to be answered: is this transaction legitimate? Transaction monitoring is the automated process financial institutions use to answer that question — at scale, in real time, across millions of transactions every day.

For banks, payment companies, e-wallets, and lending firms across APAC, transaction monitoring is not optional. It is a legal requirement under AUSTRAC in Australia, MAS Notice 626 in Singapore, BNM's AML/CFT Guidelines in Malaysia, BSP Circular 950 in the Philippines, and the AML/CFT Act in New Zealand. Get it wrong, and the consequences range from regulatory fines to criminal liability.

This guide covers everything compliance officers, CCOs, and financial crime teams need to know about transaction monitoring in 2026: what it is, how it works, what the regulations require, and how modern AI-powered systems are making it faster and more accurate than ever.

What Is Transaction Monitoring?

Transaction monitoring (TM) is the ongoing automated review of customer transactions to detect patterns that may indicate money laundering, fraud, terrorist financing, or other financial crime. It is a core component of any anti-money laundering (AML) compliance programme.

In practice, a transaction monitoring system ingests data from across a financial institution — payments, transfers, cash deposits, card transactions, trade finance flows — and applies a combination of rules, models, and risk indicators to each transaction. When a transaction or cluster of transactions crosses a defined threshold or matches a suspicious pattern, the system generates an alert for a compliance analyst to investigate.

Key distinction: Transaction monitoring looks at transactions that have already occurred or are in process. This is different from transaction screening, which checks a payment against sanctions lists before it is processed. Both are required — they serve different compliance functions.

Why Is Transaction Monitoring Required?

Regulators across APAC and globally require financial institutions to maintain ongoing transaction monitoring as part of their AML/CFT obligations. The specific requirements vary by jurisdiction, but the underlying principle is consistent: institutions must be able to detect and report suspicious transactions.

Here is what the key APAC regulators require:

• AUSTRAC (Australia): Reporting entities must have systems and controls to identify, mitigate, and manage money laundering and terrorism financing risks. The AML/CTF Rules require ongoing customer due diligence, which includes monitoring transactions for consistency with the customer's risk profile.
• MAS Notice 626 (Singapore): Banks are required to implement a risk-based transaction monitoring programme, covering both real-time and post-transaction monitoring. MAS expects institutions to document their monitoring scenarios and review them regularly.
• BNM (Malaysia): Bank Negara Malaysia's AML/CFT Policy Document requires all reporting institutions to implement ongoing monitoring of customers and their transactions, with a risk-based approach to setting thresholds and scenarios.
• BSP (Philippines): BSP Circular 950 and subsequent issuances require covered institutions to implement transaction monitoring systems capable of generating alerts on suspicious activity. Suspicious Transaction Reports (STRs) must be filed with the AMLC within five days of determination.
• AML/CFT Act (New Zealand): Reporting entities under the AML/CFT Act 2009 must conduct ongoing customer due diligence, which includes monitoring transactions to identify unusual or suspicious activity for reporting to the New Zealand Police Financial Intelligence Unit (FIU).

How Does Transaction Monitoring Work?

At its core, a transaction monitoring system does three things: it collects transaction data, applies detection logic to identify suspicious activity, and generates alerts for human review.

Step 1 — Data Ingestion

The TM system pulls transaction data from across the institution's systems: core banking, payment rails, cards, wire transfers, digital wallets, and more. Modern systems can process this data in real time as transactions occur, or in batch mode at defined intervals.

Step 2 — Risk Scoring and Detection

Each transaction is evaluated against a set of detection scenarios. These scenarios are built around known money laundering typologies — patterns of behaviour associated with specific criminal methods such as structuring, smurfing, layering, or trade-based money laundering. The system assigns risk scores based on factors including transaction amount, frequency, geography, counterparty, and customer risk profile.

Step 3 — Alert Generation

When a transaction or cluster of transactions breaches a threshold or matches a high-risk pattern, the system generates an alert. This alert is routed to a compliance analyst for investigation. The analyst reviews the alert in context — the customer's history, past transactions, onboarding information — and determines whether to escalate, file a Suspicious Transaction Report (STR), or close the alert as a false positive.

Step 4 — Reporting and Audit

Where suspicious activity is confirmed, the institution files a report with the relevant Financial Intelligence Unit (AUSTRAC, FIU Singapore, AMLC Philippines, etc.). All alerts, including those closed as false positives — must be documented and retained for regulatory examination.

Rules-Based vs AI-Powered Transaction Monitoring

For most of the past three decades, transaction monitoring systems relied entirely on rules — if-then logic that flagged transactions when they crossed predefined thresholds. 'Alert if a cash deposit exceeds USD 10,000.' 'Alert if a customer makes more than five international transfers in a week.' These rules are transparent and easy to explain to regulators. They are also rigid, slow to adapt, and notorious for generating huge volumes of false positives.

The problem with rules-based monitoring is the false positive rate. Industry estimates put it at between 90-95% — meaning that for every 100 alerts a compliance team investigates, fewer than 10 turn out to be genuinely suspicious. This wastes enormous time and resources, and critically, it creates noise that can cause analysts to miss the alerts that actually matter.

Modern AI-powered transaction monitoring systems address this by applying machine learning and behavioural analytics on top of rules. Instead of relying on static thresholds, ML models learn the normal behaviour of each customer and flag deviations from that pattern. This approach dramatically reduces false positives while improving detection of genuinely suspicious activity — including novel typologies that rules have not yet been written for.

Industry benchmark: Leading AI-powered transaction monitoring systems achieve false positive rates below 10%, compared to the 90-95% industry average for traditional rules-based systems. For a mid-sized bank handling 1 million alerts per year, this difference translates to hundreds of thousands of hours of saved analyst time.

Key Transaction Monitoring Scenarios and Typologies

Transaction monitoring scenarios are the detection logic that drives alert generation. Here are the most common typologies that TM systems are configured to detect:

• Structuring (smurfing): Breaking large sums into smaller transactions to stay below reporting thresholds. A customer depositing USD 9,800 multiple times across different branches is a classic structuring pattern.
• Layering: Rapid movement of funds between multiple accounts or jurisdictions to obscure the money trail. Unusual patterns of transfers to high-risk jurisdictions, especially in quick succession, are a key indicator.
• Mule account activity: Accounts that receive large sums and immediately transfer them out — consistent with money mule networks. High velocity, unusual counterparties, and rapid fund movement are characteristic patterns.
• Round-tripping: Funds that leave an account and return to it via a series of intermediary transactions, giving the appearance of legitimate business activity.
• Trade-based money laundering: Over- or under-invoicing in trade transactions to move value across borders. Particularly prevalent in APAC markets with high trade volumes.
• Unusual cash activity: Cash-intensive behaviour inconsistent with a customer's stated business or risk profile. A retail customer suddenly making large cash deposits is a common red flag.

Common Challenges With Transaction Monitoring

Despite its critical importance, transaction monitoring remains one of the most operationally challenging parts of AML compliance. These are the issues compliance teams encounter most frequently:

• High false positive rates: As noted above, traditional rules-based systems flag far more legitimate transactions than suspicious ones, overwhelming compliance teams and diluting the quality of investigations.
• Siloed data: Transaction monitoring is only as good as the data it has access to. Institutions with fragmented data across legacy core banking systems, payment platforms, and digital channels often struggle to get a complete picture of customer activity.
• Static rules that lag behind typologies: Financial criminals adapt their methods constantly. Rules written for known typologies are always catching up to yesterday's schemes. AI and ML models that learn from transaction patterns in real time are better positioned to detect emerging threats.
• Regulatory divergence across APAC: A financial institution operating across Singapore, Malaysia, the Philippines, and Australia faces four different regulatory frameworks with different reporting timelines, threshold requirements, and filing procedures. Managing this complexity without unified TM infrastructure is extremely difficult.
• Alert backlog: Without automation, high alert volumes create backlogs that can delay STR filings beyond regulatory deadlines — itself a compliance breach.

What to Look for in a Transaction Monitoring Solution

When evaluating transaction monitoring software, financial institutions should assess the following:

• Real-time vs batch processing: Real-time monitoring is increasingly expected by regulators and essential for detecting fast-moving fraud. Ensure the system can process transactions as they occur, not just in overnight batches.
• Typology library: The breadth and quality of pre-built detection scenarios matters enormously, especially for institutions that lack the in-house expertise to build complex rules from scratch. Look for systems with APAC-specific typologies.
• ML and AI capabilities: Does the system supplement rules with machine learning? Can it learn customer behaviour patterns and adapt to new typologies without waiting for manual rule updates?
• False positive reduction: Ask vendors for benchmark false positive rates and how they measure them. A system that generates 90%+ false positives is not adding compliance value — it is adding cost.
• Explainability: Regulators expect you to be able to explain why an alert was generated and why a decision was made to close or escalate it. AI-powered systems must provide explainable outputs, not black-box decisions.
• APAC regulatory coverage: Ensure the solution supports the specific reporting requirements of AUSTRAC, MAS, BNM, BSP, and the New Zealand FIU — including automated STR filing where available.
• Integration: The system must integrate with your core banking, payments, and KYC infrastructure without requiring a full technology overhaul.

Transaction Monitoring in 2026: The AI Shift

The most significant development in transaction monitoring in recent years has been the shift from rules-only systems to hybrid AI models that combine the transparency of rules with the adaptive detection capabilities of machine learning.

In APAC, this shift is accelerating. Regulators including MAS and AUSTRAC have explicitly encouraged the use of technology and data analytics in AML programmes. The FATF (Financial Action Task Force) has published guidance on the use of digital identity and new technologies in AML/CFT. And financial institutions facing increasing transaction volumes, more sophisticated criminal typologies, and tighter compliance budgets are turning to AI-powered monitoring as the only sustainable path forward.

Modern transaction monitoring platforms use federated learning — where institutions benefit from the collective intelligence of a network of financial institutions without sharing raw customer data — to stay ahead of emerging typologies. In APAC, where regional financial crime networks operate across borders, this type of collaborative intelligence is particularly valuable.

Tookitaki’s approach to transaction monitoring aligns with this broader industry shift. Through its FinCense platform, the company combines rules, machine learning, and explainable AI with typologies contributed through the AFC Ecosystem, helping banks and fintechs improve detection quality, reduce unnecessary alerts, and respond more effectively to emerging financial crime risks across APAC.