What Ongoing Monitoring Means in AML Compliance
Know Your Customer is not a one-time event. Regulatory frameworks worldwide require financial institutions to maintain continuous, risk-proportionate surveillance of customer activity throughout the entire business relationship. Ongoing AML monitoring is the discipline of detecting when a customer's behavior, transaction patterns, or external risk profile deviates from what was established at onboarding.
The distinction between continuous monitoring and periodic review is critical. Periodic review operates on fixed schedules -- high-risk customers reviewed annually, medium-risk every two years, low-risk every three to five years. Continuous monitoring, by contrast, evaluates every transaction in real time against behavioral baselines, watchlists, and risk thresholds. Modern AML programs require both: continuous transaction screening catches acute threats as they happen, while periodic reviews reassess the broader customer risk profile as circumstances evolve.
Global enforcement actions for AML failures exceeded $5 billion in 2025. Regulators are no longer satisfied with point-in-time checks -- they demand evidence of continuous, automated monitoring that adapts to emerging threats in real time.
Regulatory Requirements Across Jurisdictions
AML monitoring obligations are not optional -- they are codified in law across every major jurisdiction. Understanding the specific requirements of each framework is essential for building a compliant system.
| Framework | Jurisdiction | Key Monitoring Requirements | Enforcement |
|---|---|---|---|
| FinCEN / BSA | United States | Ongoing CDD, transaction monitoring, SAR filing within 30 days | Civil & criminal penalties |
| EU AMLD6 | European Union | Risk-based monitoring, beneficial ownership tracking, cross-border cooperation | Up to 10% annual turnover |
| FATF Rec. 10-21 | Global (40 members) | CDD proportionate to risk, enhanced due diligence for PEPs, ongoing monitoring obligation | Mutual evaluations / grey-listing |
| UK MLR 2017 | United Kingdom | Continuous monitoring, risk assessment updates, senior management approval for high-risk | Unlimited fines |
| MAS Notice 626 | Singapore | Automated screening, risk-calibrated transaction thresholds, independent audit | License revocation |
FATF Recommendations 10 through 21 establish the global baseline. Recommendation 20 specifically mandates that suspicious transaction reports be filed "promptly" when institutions suspect proceeds of crime. EU AMLD6, which came into force in late 2024, expanded criminal liability to legal persons and harmonized predicate offenses across member states, making monitoring failures a corporate criminal matter.
Transaction Monitoring: Patterns That Trigger Alerts
Effective transaction monitoring systems watch for behavioral patterns that deviate from a customer's established profile. The most common red flags fall into well-defined categories.
Structuring (Smurfing)
Deliberately breaking transactions into amounts just below reporting thresholds. In the US, this means deposits kept under $10,000 to avoid Currency Transaction Report (CTR) filing. Structuring is a federal crime under 31 USC 5324, regardless of whether the underlying funds are legitimate.
Rapid Movement of Funds
Funds deposited and immediately transferred to unrelated accounts or jurisdictions -- often called "flow-through" or "pass-through" behavior. A customer who receives $50,000 and wires 95% of it offshore within 24 hours triggers immediate scrutiny, particularly when the destination country has weak AML controls.
Unusual Geographic Patterns
Transactions involving high-risk jurisdictions identified by FATF (Iran, North Korea, Myanmar) or countries subject to comprehensive sanctions programs. Geographic monitoring also flags sudden changes -- a customer with exclusively domestic activity who begins receiving transfers from multiple offshore shell-company jurisdictions without a clear business rationale.
Common Pitfall
Over-reliance on rule-based thresholds alone creates blind spots. Sophisticated actors deliberately operate just outside static rules. Effective monitoring combines threshold rules with behavioral baselines and anomaly detection to catch adaptive evasion techniques.
Risk Scoring Models: Categorizing Customer Risk
Risk scoring assigns each customer a quantified risk level -- low, medium, or high -- based on multiple weighted factors. This score determines the intensity of monitoring applied and the frequency of periodic reviews.
| Risk Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Customer Type | Salaried individual, domestic | Small business, sole trader | PEP, trust, shell company |
| Geography | Low-risk FATF jurisdiction | Moderate-risk jurisdiction | FATF grey/black list, sanctioned |
| Product / Channel | Savings account, fixed deposit | Business lending, trade finance | Correspondent banking, crypto |
| Transaction Volume | Consistent with declared income | Occasional spikes, explainable | Unexplained volume surges |
| Review Frequency | Every 3-5 years | Every 1-2 years | Every 6-12 months |
Risk scores must be dynamic. A customer initially classified as low risk who begins transacting with a newly sanctioned entity must be automatically escalated to high risk. The model should incorporate real-time event triggers -- adverse media hits, sanctions list additions, changes in beneficial ownership -- alongside the periodic recalculation schedule.
Sanctions Screening: OFAC, UN, and EU Lists
Sanctions screening is the non-negotiable foundation of AML monitoring. Every customer, counterparty, and beneficial owner must be checked against consolidated sanctions lists including OFAC's Specially Designated Nationals (SDN) list, the UN Security Council Consolidated List, and EU restrictive measures.
The operational question is real-time vs. batch screening. Real-time screening checks each transaction at the moment of execution -- essential for wire transfers and payments where sanctioned funds must be blocked before settlement. Batch screening rescreens the entire customer base against updated lists, typically daily. Both are required: real-time catches live transactions, while batch catches customers who were added to sanctions lists after their last transaction.
Screening Challenge: Name Matching
Fuzzy matching algorithms must handle transliterations (e.g., Cyrillic to Latin), aliases, partial names, and common-name collisions. False positive rates of 95%+ are typical in production systems, making automated triage and scoring essential to avoid overwhelming compliance teams.
Privacy-Preserving Monitoring with FHE
Traditional AML monitoring creates an inherent tension: institutions must analyze customer data deeply enough to detect suspicious patterns, but data protection regulations (GDPR, CCPA) require minimizing exposure of personal information. Fully Homomorphic Encryption resolves this conflict by enabling computation on encrypted data without ever decrypting it.
With FHE-based monitoring, transaction records remain encrypted throughout the analysis pipeline. Pattern matching, threshold comparisons, and even fuzzy name matching against watchlists can be performed directly on ciphertexts. The monitoring system produces encrypted results -- match or no-match -- that can only be decrypted by authorized compliance officers. The infrastructure operators, cloud providers, and even system administrators never see plaintext customer data.
H33's Approach: Encrypted Watchlist Matching and ZKP Compliance Proofs
H33 takes privacy-preserving monitoring further with a two-layer architecture. The first layer uses BFV fully homomorphic encryption to perform encrypted inner-product matching between customer identity vectors and sanctioned-entity vectors. This enables real-time watchlist screening at sub-millisecond latency -- under 42 microseconds per authentication -- without exposing either the customer's identity or the specific watchlist entries being checked.
The second layer uses zero-knowledge proofs to generate cryptographic compliance attestations. When a customer passes sanctions screening, H33 produces a ZKP that proves the check was performed against the current list version, that the matching algorithm executed correctly, and that no match was found -- all without revealing any underlying data. These proofs are verifiable by regulators, auditors, or counterparty institutions without requiring access to raw customer records.
FHE-encrypted monitoring means your AML infrastructure meets GDPR data minimization requirements by design. Customer data is never exposed to the monitoring system itself -- only encrypted match results and ZKP compliance proofs leave the pipeline.
SAR Filing Automation
When monitoring detects genuinely suspicious activity, institutions must file a Suspicious Activity Report (SAR) with the relevant Financial Intelligence Unit -- FinCEN in the US, the FIU in the EU, or the NCA in the UK. US regulations require SARs to be filed within 30 calendar days of initial detection (60 days if no suspect is identified). Automated SAR workflows dramatically reduce this response time by pre-populating report fields from the alert data, attaching supporting transaction records, and routing the draft through compliance officer review queues. The goal is not to remove human judgment -- SAR filing always requires human sign-off -- but to eliminate the manual data gathering that typically consumes 70-80% of the filing process.
Implementation Best Practices
Building an effective ongoing monitoring program requires deliberate architecture decisions from the start.
- Layer continuous and periodic monitoring together. Real-time transaction screening catches acute threats; scheduled reviews catch slow-drift risk profile changes. Neither alone is sufficient.
- Implement dynamic risk scoring with event triggers. Static scores decay in accuracy. Wire risk scoring to real-time feeds -- sanctions list updates, adverse media, beneficial ownership changes -- so customer risk levels adjust automatically.
- Tune false positive rates relentlessly. A 98% false positive rate on sanctions screening means your compliance team spends almost all their time clearing non-issues. Invest in fuzzy matching calibration, contextual scoring, and tiered alert queues to keep actionable-alert ratios above 10%.
- Encrypt data in transit and at rest -- and during processing. Traditional encryption protects stored and transmitted data but exposes it during analysis. FHE closes the last gap by enabling encrypted computation, ensuring customer data is never plaintext anywhere in the monitoring pipeline.
- Maintain comprehensive audit trails. Every screening decision, risk score change, alert disposition, and SAR filing must be logged immutably. Regulators expect to reconstruct the full decision chain during examinations. ZKP-based attestations provide cryptographic proof that each step was executed correctly.
- Test with adversarial scenarios. Run red-team exercises that simulate structuring, rapid fund movement, and sanctions evasion techniques against your monitoring rules. If your system does not catch purpose-built test cases, it will not catch real ones.
Ongoing AML monitoring is not a checkbox exercise -- it is a continuous, adaptive discipline that must evolve as criminal techniques and regulatory expectations change. By combining real-time transaction screening, dynamic risk scoring, and privacy-preserving cryptographic techniques, institutions can meet their compliance obligations while protecting the customer data they are entrusted with. H33's FHE and ZKP infrastructure makes it possible to achieve both goals simultaneously, at the speed and scale modern financial systems demand.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →