Are alert backlogs hiding financial crime? Is your compliance team fighting the wrong battle?

As alert volumes surge, banks must rethink transaction monitoring. Learn how managed services help balance efficiency and regulatory rigor.

In brief

• Rising alert volumes, stricter regulation and limited investigator capacity are putting AML transaction monitoring under structural pressure.
• Leading institutions improve performance through risk-based prioritization, standardized investigations, advanced analytics and selective co-sourcing.
• Managed services combine analytics, investigation capacity and governance to flexibly scale monitoring, reduce alert noise and strengthen regulatory defensibility.

Anti-money laundering (AML) transaction monitoring is under strain. Not only is regulatory scrutiny and investigative complexity increasing, but alert volumes also continue to rise. Between 2023 and 2024, suspicious activity reports (SAR) climbed 27% from less than 12,000 to well over 15,000. Transaction monitoring-based SARs have soared accordingly, with almost 4,500 such reports filed with regulators in 2024. Meanwhile, the availability of skilled investigators is limited.

Over time, transaction monitoring frameworks accumulate complexity. New scenarios are introduced in response to regulatory guidance. Thresholds are tightened after audit findings. Segmentation models expand as new customer categories are introduced. Manual review steps are added to mitigate perceived risks.

Each of these decisions makes sense in isolation. Together, they create an unwieldy system that produces high alert volumes, heavy documentation requirements and mounting operational pressure.

The result is a shift from risk-focused monitoring to volume management, with false-positive alerts tying up case management capacity and false negatives creating exposure. Investigators spend their time clearing queues rather than analyzing genuinely complex activity. Managers measure success by how quickly alerts are closed, not by how effectively risk is understood. What begins as a control framework gradually becomes an operational bottleneck – leading to slow response times that are inadequate to deal with the speed at which suspicious transaction activities can proceed.

Common pain points and pitfalls

Across institutions, the symptoms are remarkably consistent. Backlogs form and reform. Even when a remediation program temporarily reduces the queue, volumes return. In our experience, the problem is rarely a lack of effort. It is more often structural misalignment between alert generation and investigative capacity.

False positives remain stubbornly high. Institutions walk a narrow line between regulatory caution and operational sustainability. Conservative threshold setting reduces the risk of missed activity, but it also floods teams with alerts that ultimately pose limited risk. Over time, this erodes focus and increases fatigue.

Investigation quality becomes uneven. Under time pressure, narratives vary in structure and depth. One investigator writes a concise but clear explanation. Another produces a long, loosely structured account. A third focuses heavily on transactional data but under-articulates the risk rationale. None of this may be intentional, but variability creates vulnerability when regulators review files months later.

Governance often struggles to keep pace. Documentation lags behind system changes. Thresholds in production may not perfectly align with documented values. Scenario logic evolves, but the rationale for adjustments is not always clearly recorded. These issues do not necessarily indicate weak controls. They reflect the strain of managing a complex, evolving framework without an integrated operating model.

Perhaps the most common pitfall is treating transaction monitoring as a static system rather than a managed capability. Institutions invest heavily in model development or in remediation projects, yet once the immediate pressure subsides, continuous optimization fades. Improvements remain episodic instead of embedded.

What leading institutions are doing differently

The institutions that manage this environment successfully are not immune to regulatory pressure or alert growth. The difference lies in how they respond.

First, they view transaction monitoring as a living capability. Segmentation, scenario design, threshold calibration and investigation quality are not isolated exercises. They are interdependent components of a single risk management system. Adjustments in one area are assessed for downstream impact in another.

Second, they embrace structured, risk-based prioritization. Not every alert carries the same risk weight. Advanced analytics and data-driven scoring are used to create transparency around relative risk. When applying best-practice alert prioritization, investigators focus first on the cases most likely to require escalation. This does not eliminate low-risk alerts, but it ensures that attention is aligned with exposure.

Third, they standardize investigation output. Narratives follow a clear structure. Risk indicators are articulated consistently. Evidence is referenced methodically. This does not remove professional judgment. It strengthens it by providing a disciplined framework for reasoning.

Fourth, governance is embedded rather than reactive. Continuous model performance monitoring is key. Model changes are documented with clear rationale. Threshold decisions are tied to risk appetite. Feedback from investigation outcomes informs scenario refinement. Audit readiness is not a last-minute exercise; it is a byproduct of disciplined operating practices.

Fifth, technology is treated as an enabler. Artificial intelligence and advanced analytics are deployed in compliance management to reduce manual effort and improve consistency.

Leading institutions are also increasingly adopting co-sourcing models to complement internal capabilities. Rather than attempting to build and maintain every component internally, they selectively partner with specialized providers for investigation capacity, advanced analytics and technology-enabled alert triage. This allows institutions to scale resources during peak alert volumes, access specialized expertise and accelerate the adoption of modern monitoring techniques. Crucially, these arrangements are structured so that governance, model ownership and escalation decisions remain firmly within the institution.

In practice, achieving this level of maturity requires a combination of disciplined governance, advanced analytics and scalable investigative capacity. Many institutions therefore complement internal capabilities with specialized tools and external expertise that support alert prioritization, investigation efficiency and continuous model improvement. When deployed within a robust governance framework, these solutions help compliance teams focus their attention where it matters most: understanding risk, documenting decisions clearly and responding quickly to genuinely suspicious activity.

One example of an AI investigative tool that leverages know your customer (KYC), transactions and scenario data to better handle alerts and investigations is the EY Case Innovator. Given the client profile and the uploaded documents, when a new alert arrives, the system automatically searches the internal database for explanations. If none are found, it escalates the case to the team. The benefits are tangible:

Another effective solution created by EY is Alert Triage, a machine learning-based solution designed to increase efficiency in AML transaction monitoring by intelligently prioritizing alerts. The solution combines data aggregation, feature engineering, and advanced analytics to build a robust risk scoring model. By analyzing historical alerts and behavioral patterns across customers and accounts, it identifies signals associated with true positives and distinguishes them from typical false positives.

Key benefits include:

In a recent example, a mid-sized Swiss private bank faced high alert volumes driven by complex multi-transaction monitoring scenarios. By applying advanced analytics, historical simulations and behavioral pattern analysis to recalibrate the monitoring framework, the institution significantly improved alert triage performance. Multiple-transaction alerts were reduced to approximately 3% of transactions, duplicate and low-value alerts declined sharply and the bank established a strong foundation for intelligent, automated alert prioritization.

However, irrespective of the solution adopted, human oversight remains central. The objective is augmentation, not blind automation.

Managed services as the operating model for sustainable excellence

Reaching the requisite level of maturity is contingent on more than incremental improvement. It requires an operating model that integrates cross-domain expertise, AI-driven case investigation, governance and scalable execution, alongside specialists across multiple jurisdictions.

This is where financial crime managed services provide distinct value. Rather than addressing transaction monitoring through one-off projects, managed services establish a structured framework for ongoing delivery. Investigation capacity can scale in response to volume fluctuations without destabilizing internal teams. Surge events, remediation programs or growth phases are absorbed within a controlled structure.

Continuous improvement becomes embedded. Threshold performance is reviewed systematically. Scenario logic is benchmarked and refined. Investigation quality is monitored using defined standards. Performance metrics are tracked transparently. The model evolves alongside regulatory expectations and business growth.

Technology, including AI-driven prioritization and investigation support, is integrated into this operating framework. These tools accelerate enrichment, enhance consistency and reduce manual effort. Crucially, they operate within a governed structure, with clear audit trails and human validation.

For instance, consider the case of a large Swiss retail and commercial bank that faced excessive alert volumes because uniform monitoring thresholds were applied across highly diverse customer segments. Through segmentation-driven analytics and large-scale scenario simulation, an EY team helped the client recalibrate the monitoring framework to reflect different behavioral profiles. The result was a clear separation between productive and non-productive alerts, segment-specific thresholds that improved investigation focus, and a material improvement in alert triage efficiency and transparency.

From a regulatory perspective, managed services strengthen defensibility. Documentation standards are formalized. Model governance is clearly defined. Change management processes are controlled. When supervisors review the framework, they see not just controls, but coherence.

Outsourcing elements of transaction monitoring does not transfer regulatory responsibility. Under FINMA expectations, accountability for AML controls, escalation decisions and suspicious activity reporting remains with the financial institution. A well-structured managed services model therefore embeds strong governance: the bank retains oversight of investigative activity through defined supervision, quality assurance and performance monitoring. At the same time, model ownership, scenario design and validation remain independent within the institution’s model risk management framework. This ensures operational scalability while preserving clear accountability and regulatory defensibility.

From a strategic perspective, the impact is broader. Workload becomes more predictable. Investigator experience improves as repetitive tasks are reduced. Cost volatility decreases because capacity planning is more disciplined. Most importantly, leadership gains clearer visibility into the true risk posture of the institution.

Transaction monitoring shifts from a reactive compliance function to a structured, data-informed capability.

From firefighting to structural change

The challenges facing transaction monitoring today are not temporary. They are structural. Regulatory scrutiny will not ease. Transaction volumes will not decline. Criminal activity quickly spreads when given the opportunity. Expectations for documentation quality and model governance will only increase.

Institutions that continue to rely on incremental fixes will find themselves in repeated cycles of backlog reduction and remediation. Those that adopt a managed services operating model position themselves differently. They integrate governance, analytics, investigation capability and technology into a cohesive framework designed for scale.

The goal is not simply to process alerts more quickly. It is to ensure that the right risks receive the right level of attention, supported by consistent documentation and defensible decision-making. In the current environment, that distinction defines not only operational efficiency, but regulatory credibility.