Transaction Monitoring for Crypto MSBs: Red Flags and What to Watch For

Transaction monitoring is the engine of your BSA/AML program. It’s how you detect suspicious activity, generate alerts for investigation, and ultimately decide whether to file a SAR. For crypto MSBs, the challenge is that traditional monitoring rules designed for banking don’t map cleanly to blockchain-native transaction patterns.

Here’s how to build a transaction monitoring program that actually catches what it needs to — without drowning your compliance team in false positives.

What Regulators Expect

FinCEN expects every MSB to have a transaction monitoring system that is “reasonably designed” to detect suspicious activity. This doesn’t mean you need to catch everything. It means your monitoring should be:

• Risk-based: Your rules should reflect your specific business model, customer base, and risk profile.
• Documented: Your rules, thresholds, and the rationale behind them should be written down.
• Regularly tuned: Rules that generate too many false positives or too few alerts need adjustment. Examiners look for evidence that you’re reviewing and tuning your monitoring program.
• Supported by investigation: Alerts need to be reviewed by qualified staff, investigated, and dispositioned — not just auto-closed.

You don’t need the most sophisticated system on the market. You need a system that’s appropriate for your size, complexity, and risk exposure.

Types of Monitoring Rules

Threshold-Based Rules

The simplest form of monitoring. Flag transactions that exceed a dollar amount or frequency:

• Single transactions above a defined amount (e.g., $3,000 for crypto ATMs)
• Aggregate transactions by a single customer exceeding a daily, weekly, or monthly threshold
• Cash-to-crypto conversions above a specified amount

Threshold rules are easy to implement but produce high false positive rates if not paired with customer risk profiling. A customer who regularly transacts $5,000/day is different from a customer who suddenly goes from $100 to $5,000.

Velocity Rules

Track the speed and frequency of transactions:

• Number of transactions within a time window (e.g., more than 5 transactions in 24 hours)
• Rapid deposit-and-withdrawal patterns (funds in and out within minutes)
• Multiple transactions across different kiosks or platforms within a short timeframe

Velocity rules are particularly relevant for crypto ATM operators, where structuring often manifests as multiple small transactions spread across kiosks.

Behavioral Rules

Compare a customer’s current activity against their historical baseline:

• Sudden increase in transaction volume or value
• Activity in a dormant account
• Change in transaction patterns (new geographies, new counterparties, different cryptocurrencies)
• Transactions inconsistent with stated purpose of the account

Behavioral rules require more data and more sophisticated logic, but they catch patterns that threshold rules miss.

Network-Based Rules

Leverage blockchain analytics to assess risk based on where funds are flowing:

• Transactions with wallets associated with darknet markets, mixers, or known illicit services
• Funds passing through multiple intermediary wallets before reaching your platform (layering)
• Exposure to wallets flagged by blockchain analytics providers
• Transactions involving privacy coins (Monero, Zcash shielded transactions)

Network rules require integration with blockchain analytics data. They’re increasingly expected by regulators, especially for larger MSBs.

Red Flags Specific to Crypto MSBs

FinCEN, FATF, and state regulators have published extensive lists of red flags for virtual currency businesses. Here are the most relevant for crypto MSBs:

Structuring Indicators

• Multiple transactions just below reporting or identification thresholds
• A customer using multiple kiosks or accounts to avoid per-transaction limits
• Transactions split across different days but clearly related (same customer, similar amounts, same destination wallet)
• Use of multiple identities or accounts that appear linked

High-Risk Transaction Patterns

• Large cash-to-crypto conversions with no apparent business purpose
• Immediate withdrawal or transfer of newly deposited funds
• Transactions with counterparties in OFAC-sanctioned jurisdictions
• Funds flowing to or from wallets associated with known illicit activity
• Transactions involving unhosted (non-custodial) wallets with no prior history

Identity and Behavioral Concerns

• Customer provides inconsistent or false identity documents
• Use of VPNs or proxy services to obscure location
• Reluctance to provide information required for KYC
• Customer appears to be acting on behalf of an unnamed third party
• Unusual interest in your compliance processes (“What triggers a report?”)

Crypto-Specific Indicators

• Use of mixing services, tumblers, or CoinJoin transactions to obscure the origin of funds
• Funds routed through decentralized exchanges (DEXs) to avoid KYC
• Transactions involving bridges between blockchains with no clear business rationale
• Conversion between multiple cryptocurrencies in rapid succession (chain-hopping)

Tuning Your Monitoring Program

A monitoring program that generates hundreds of alerts per day with a 95% false positive rate isn’t protecting you — it’s creating compliance fatigue and increasing the chance that real suspicious activity gets missed.

Start with Risk

Not all customers are equal risk. Segment your customer base and apply different monitoring intensities:

• Low risk: Verified customers with consistent transaction patterns and low amounts — standard threshold monitoring
• Medium risk: Customers in higher-risk geographies, larger transaction volumes, or with some unusual patterns — tighter thresholds, velocity rules
• High risk: Customers flagged by blockchain analytics, PEP matches, or prior SAR filings — enhanced monitoring with lower thresholds, behavioral rules, and manual review triggers

Measure and Adjust

Track metrics that tell you whether your monitoring is working:

• Alert volume by rule — which rules generate the most alerts?
• False positive rate by rule — which rules are noise?
• SAR conversion rate — what percentage of alerts result in a SAR filing?
• Time to disposition — how long does it take to investigate and close an alert?

If a rule has a 99% false positive rate, either the threshold is wrong or the rule isn’t useful. If a category of suspicious activity isn’t generating any alerts, your rules might have a gap.

Document Your Tuning Decisions

When you change a threshold or modify a rule, document why. Examiners want to see that your tuning decisions are based on data and risk assessment, not on a desire to reduce alert volume for convenience.

Building vs. Buying

For early-stage crypto MSBs, the question is whether to build custom monitoring logic or use a vendor solution. Considerations:

• Spreadsheets and manual review work at very small scale (dozens of transactions per day) but become error-prone and unauditable quickly.
• Custom rules in your application code give you full control but require ongoing engineering investment to maintain, tune, and document.
• Vendor solutions provide out-of-the-box rules, case management, and audit trails but can be expensive and rigid.

The right answer depends on your scale, your engineering capacity, and your risk profile. What doesn’t work is having no monitoring at all and hoping nothing gets flagged.

Decern provides transaction monitoring infrastructure for crypto MSBs — configurable rules, real-time alerts, and case management that connects to your screening and SAR filing workflow. One platform, not five tools duct-taped together.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified compliance professional for guidance specific to your transaction monitoring program.