6 Signs Your Transaction Monitoring System Is Generating Too Many False Positives
A transaction monitoring system generating too many false positives is a compliance failure, not just an operational inconvenience. This guide covers the six diagnostic signs and what each tells you about the underlying problem.
Transaction monitoring systems exist to detect suspicious activity. But a system that generates hundreds or thousands of low-quality alerts per week creates a different kind of compliance problem: alert fatigue. When compliance analysts face a queue that cannot realistically be cleared, their review quality deteriorates. Cases that should be escalated get closed to manage the backlog. Genuine suspicious activity is buried under noise. The system that was supposed to protect the firm becomes the mechanism through which compliance failures occur.
Regulators are acutely aware of this dynamic. The FCA's supervisory visits and thematic reviews have repeatedly cited excessive false positive rates — and the compliance team practices that develop to cope with them — as evidence of a fundamentally inadequate monitoring programme. Here are the six signs that your transaction monitoring system is generating too many false positives, and what each of them tells you about the underlying problem.
Your Alert Queue Grows Faster Than It Can Be Cleared
If your compliance team ends every week with more unreviewed alerts than they started with, the system is generating alerts faster than the team can investigate them. This is not a staffing problem — it is a calibration problem. Adding analysts treats the symptom, not the cause. Every analyst added to manage a poorly-calibrated alert queue is a resource that could be deployed on higher-value compliance work.
A well-calibrated transaction monitoring programme generates an alert volume that the compliance team can investigate thoroughly within defined SLAs — with time left to maintain documentation quality, conduct training, and respond to ad hoc requests. If your team is permanently behind, the first question to ask is not how many more people you need. It is why the system is generating so many alerts, and how many of them are genuinely suspicious.
Your Alert Close Rate Is Above 95% Without a Corresponding SAR Rate
Industry benchmarks suggest that well-calibrated transaction monitoring programmes convert between 2% and 8% of alerts into SARs, with the remainder closed after investigation. If your system is closing 97–99% of alerts with no SAR outcome, one of two things is true: either your customer base genuinely generates very little suspicious activity, or your system is generating alerts that it should not be generating.
The first possibility is possible — some customer segments are genuinely lower risk. But a close rate consistently above 95% across a regulated firm handling meaningful transaction volumes should be treated as a signal requiring explanation. The explanation, in most cases, is that the alert scenarios are too broadly calibrated — catching large numbers of normal transactions that superficially resemble a pattern without actually presenting suspicious characteristics.
Your Monitoring Rules Have Not Been Reviewed in Over 12 Months
Transaction monitoring rules must be calibrated to the firm's actual customer base, transaction patterns, and risk profile — not to a generic template, and not to what the customer base looked like when the rules were first written. Customer behaviour changes. Product mix changes. The firm's geographic exposure changes. A rule that was appropriately calibrated 18 months ago may be significantly over-generating today because the customer base it was designed for has evolved.
Rule reviews should be conducted at least annually, and whenever there is a material change in the firm's customer base, product mix, or transaction volumes. Each review should be documented — recording the data examined, the conclusions reached, the changes made, and the rationale for those changes. The documentation is not bureaucratic overhead; it is the evidence base that demonstrates to the regulator that the programme is genuinely managed rather than simply deployed.
All Alerts Are Treated the Same Regardless of Risk Level
Not all transaction monitoring alerts represent the same level of risk. An alert triggered by a first-time large outgoing wire transfer from a newly onboarded customer from a high-risk jurisdiction is fundamentally different from an alert triggered by a long-standing retail customer making a slightly larger-than-usual purchase. Treating both with the same investigation priority is an inefficient use of compliance resource and a sign that the system lacks risk-based alert prioritisation.
Modern transaction monitoring platforms incorporate risk-tiered alert management — scoring each alert based on a combination of factors including the scenario that triggered it, the customer's risk rating, the size and direction of the transaction, and any previous alert history. Higher-risk alerts are prioritised for immediate review; lower-risk alerts are queued for standard processing. This approach allocates analyst time to where it is most needed and reduces the risk that a critical case is lost in a backlog of routine alerts.
A Single Threshold Rule Is Generating a Disproportionate Share of Your Alerts
In many transaction monitoring programmes, a small number of rules — often simple threshold rules based on transaction amount — generate the majority of alerts. Threshold rules are necessary but blunt: a rule that fires on all transactions above £10,000 will catch genuine suspicious activity and enormous volumes of entirely normal high-value transactions, particularly for firms serving corporate or professional investor clients.
If a single rule is generating more than 30–40% of your total alert volume, that rule almost certainly needs recalibration. The right response is not to remove the rule but to add additional parameters that increase its specificity — for example, applying the threshold only to transactions that also match other risk indicators, or segmenting the rule by customer risk tier so that the threshold for standard-risk customers is higher than for elevated-risk customers.
Your Alert Patterns Do Not Reflect Your Customer Risk Profile
The most revealing diagnostic for a transaction monitoring programme is to compare the risk profile of the customers generating the most alerts with the risk profile of the firm's overall customer population. In a well-calibrated programme, higher-risk customers should generate a disproportionate share of the alerts — because they present a genuinely higher risk of suspicious activity.
If your alert population is dominated by standard-risk customers who generate large numbers of alerts that are routinely closed — while your higher-risk customers generate relatively few alerts — your rules are not calibrated to risk. They are calibrated to volume. The customers making the most transactions are generating the most alerts, regardless of whether those transactions present any meaningful AML risk.
One Constellation's compliance management platform includes alert analytics that allow compliance teams to examine alert patterns across customer risk tiers, scenario types, and time periods — providing the data needed to identify miscalibration and drive rule tuning decisions with evidence rather than intuition.
How to Reduce False Positives Without Compromising Detection
The goal of false positive reduction is not to generate fewer alerts — it is to generate fewer low-quality alerts while maintaining or improving detection of genuine suspicious activity. The techniques that achieve this include:
- Customer risk segmentation — applying different monitoring thresholds and scenarios to different customer risk tiers, so that higher-risk customers receive more intensive monitoring and lower-risk customers do not generate alerts from normal behaviour.
- Behavioural baselining — establishing a baseline pattern for each customer's normal transaction behaviour and alerting on deviations from that baseline rather than absolute thresholds. A £50,000 transfer is not inherently suspicious for a customer whose normal profile includes regular large corporate transactions.
- AI-driven alert scoring — machine learning models that assess the probability of each alert representing genuine suspicious activity, allowing high-confidence false positives to be deprioritised without manual review.
- Scenario combination rules — requiring multiple indicators to be present simultaneously before an alert fires, rather than firing on a single factor in isolation.
- Regular tuning reviews — systematic, documented reviews of alert volumes, close rates, and SAR conversion rates by scenario, with threshold adjustments made in response to the data.
Reduce False Positives With Intelligent Transaction Monitoring
One Constellation's transaction monitoring platform combines rule-based detection with AI-driven alert prioritisation — reducing false positive volumes by up to 60% while improving SAR detection rates. Built for banks, investment managers, payment processors, and fintechs.
