How to Set Up Transaction Monitoring Rules for RIAs: FinCEN's 2028 AML Compliance Guide

AT A GLANCE

Starting January 1, 2028, all SEC-registered investment advisers (RIAs) must implement comprehensive transaction monitoring programs under FinCEN's new Bank Secrecy Act (BSA) rule. This requirement mandates that RIAs monitor client transactions for suspicious activity, file Suspicious Activity Reports (SARs) when necessary, and maintain detailed records. Unlike  banks or broker-dealers, most RIAs are building these programs from scratch. This guide explains exactly how to configure transaction monitoring rules tailored to investment advisory activities, set risk-based thresholds that reduce false positives, leverage AI-powered automation to streamline detection, and establish compliant investigation and SAR filing workflows. Whether you manage $100 million or $10 billion in assets, your firm needs a monitoring system that catches red flags like structuring, layering, and unexplained third-party transfers without overwhelming your compliance team.

What Is FinCEN's 2028 AML Rule for RIAs?

In August 2024, FinCEN finalized regulations adding SEC-registered investment advisers to the Bank Secrecy Act's definition of "financial institution." This means RIAs face the same anti-money laundering obligations as banks and broker-dealers for the first time.

The rule requires RIAs to:

• Establish a written, risk-based AML program
• Conduct customer due diligence (CDD) on all clients
• Monitoring transactions for suspicious activity
• File Suspicious Activity Reports (SARs) for qualifying transactions
• Maintain required records, including wire transfer details under the Travel Rule
• Submit to SEC examination of AML compliance

Effective date: January 1, 2028 (compliance deadline)

Enforcement: The SEC has examination authority and will apply standards comparable to those used for broker-dealers. Firms found deficient face enforcement actions, fines, and reputational damage.

This regulation closes a long-standing gap where investment advisers—who often manage billions in client assets—operated outside BSA requirements while criminals exploited this blind spot for money laundering.

Why Is Transaction Monitoring Required for RIAs?

Transaction monitoring is explicitly mandated under FinCEN's rule: RIAs must implement effective monitoring for transactions that could be indicative of criminal activities or the financing of terrorism and file SARs when suspicion arises.

Transaction monitoring serves three critical functions:

1. Detection: Identifies unusual patterns that deviate from normal client behavior (e.g., a client who typically invests $500,000 quarterly suddenly makes five $9,500 contributions in one week)
2. Deterrence: Criminals avoid firms with strong monitoring because they know suspicious activity will be flagged and reported
3. Regulatory compliance: Without monitoring, you cannot fulfill SAR filing obligations—the cornerstone of BSA compliance

Real-world red flags RIA monitoring catches:

• Structuring: A client makes multiple fund contributions of $9,800 to stay under the $10,000 reporting threshold
• Layering: Rapid subscription into a fund followed by immediate redemption to a different bank account
• Geographic risk: Wire transfer to a sanctioned country or high-risk jurisdiction with no investment rationale
• Third-party payments: Client requests distribution be sent to an unrelated third party without clear business purpose

Unlike banks that process thousands of daily transactions, RIAs typically see fewer but larger movements. However, the sophistication required is higher—you must understand investment context, not just transaction amounts.

Can I Set Up Rules to Flag High-Risk Transactions?

Yes, and you must. Rule-based transaction monitoring is the industry standard approach for RIAs to detect suspicious activity at scale.

How rule-based monitoring works: A monitoring system applies pre-defined rules (also called scenarios or typologies) to every transaction. When a transaction matches the rule's criteria, the system generates an alert for compliance review.

Example rule: "Wire transfer exceeds $50,000 to a foreign account"

• Trigger: Client wires $75,000 to a Swiss bank
• Result: System generates alert for investigation
• Outcome: Compliance reviews client profile, determines wire is for legitimate foreign real estate investment, documents reasoning, and clears alert

Essential rules for RIA transaction monitoring:

Rule ScenarioExample ThresholdWhat It DetectsLarge outbound wire$50,000+ to foreign accountUnexplained capital flight, tax evasionRapid in-and-outRedemption within 30 days of contributionLayering, placementStructuring pattern3+ transactions of $8,000-$9,999 in 30 daysEvading $10,000 reporting thresholdThird-party transferAny distribution to non-client accountPayment to criminals, kickbacksHigh-risk geographyAny transaction involving sanctioned/high-risk countrySanctions evasion, terrorist financingInconsistent activityTransaction 3x larger than historical averageAccount takeover, fraud

The key is customization—your rules should reflect your specific client base, investment products, and risk assessment findings.

What Features Support Dynamic Rule Configuration for AML?

Dynamic rule configuration means your monitoring system automatically adjusts alert thresholds based on each client's individual risk rating. This is critical for RIAs because a $100,000 wire might be routine for a ultra-high-net-worth client but highly suspicious for a $50,000 account.

Core features of dynamic AML systems:

1. Risk-based thresholds

• High-risk client: Wire alert triggers at $10,000
• Medium-risk client: Wire alert triggers at $50,000
• Low-risk client: Wire alert triggers at $100,000

2. Dynamic risk scoring The system recalculates client risk scoring and onboarding controls automatically when:

• New negative news or sanctions matches appear
• Transaction patterns change significantly
• Geographic risk factors emerge
• Client profile information updates

3. No-code rule builders Modern platforms let compliance officers create and modify rules through visual interfaces without IT support. You can:

• Drag and drop conditions (e.g., "IF transaction amount > X AND destination country = Y")
• Test rules against historical data before deploying
• Adjust thresholds in minutes, not weeks

4. AI-powered anomaly detection Beyond rules, machine learning identifies outliers by learning each client's "normal" behavior:

• Detects unusual patterns rules didn't anticipate
• Reduces false positives by understanding context
• Improves accuracy over time as the system learns

Pro Tip: Start with 5-7 core scenarios and expand based on your firm's risk assessment findings and alert investigation outcomes. Too many rules initially creates alert fatigue.

How Do I Set Up Transaction Monitoring Rules for My RIA?

Building a compliant transaction monitoring program follows a five-step process:

Step 1: Conduct a Transaction Risk Assessment

Identify all transaction types in your business:

• Investor contributions (subscriptions) into funds or managed accounts
• Investor redemptions or withdrawal requests
• Advisory fee payments (typically periodic from client assets)
• Inbound/outbound wires and ACH transfers
• Third-party transfers (e.g., sending proceeds to client's external account)
• Asset transfers between accounts

Map risk factors for each transaction type:

• Volume and frequency
• Geographic destinations
• Third-party involvement
• Client risk ratings
• Historical abuse patterns

Output: A documented list of high-risk transaction scenarios specific to your firm (e.g., "Fund redemptions to non-client accounts," "Wires to high-risk jurisdictions exceeding $25,000")

Step 2: Define Monitoring Rules and Risk-Based Thresholds

Create specific rules for each high-risk scenario identified in Step 1.

Sample RIA monitoring rules with risk-based thresholds:

ScenarioLow-Risk ClientHigh-Risk ClientForeign wire transferAlert if >$75,000Alert if >$20,000Structuring (multiple small transactions)5 transactions of $8,000+ in 30 days3 transactions of $5,000+ in 30 daysRapid redemptionRedemption within 14 days of contributionRedemption within 45 days of contributionThird-party paymentAny amountAny amount (zero tolerance)Fee payment anomaly200% of normal fee amount150% of normal fee amount

Document your logic: For each threshold, note why it's appropriate (e.g., "Average client contribution is $250,000, so $5,000 is statistically insignificant unless attempting structuring").

Step 3: Select and Implement Monitoring Technology

Manual monitoring doesn't scale. Even small RIAs benefit from automated transaction monitoring software that:

• Ingest transaction data from custodians and administrators
• Apply rules continuously (daily or real-time)
• Generate alerts with transaction details pre-populated
• Track alert investigation status and deadlines

Key software requirements:

• Integration with your custodial platforms
• No-code rule configuration
• Risk score integration
• Case management workflows
• SAR form automation
• Audit trail generation for SEC exams

Implementation timeline: 2-8 weeks depending on system complexity and data availability

Step 4: Build Alert Investigation Workflows

Every alert requires investigation. Establish clear procedures:

Investigation checklist:

1. Review transaction details (amount, parties, timing, destination)
2. Pull client KYC file (source of wealth, investment objectives, risk rating)
3. Check for sanctions or negative news matches
4. Review historical transaction patterns
5. Contact relationship manager for context (if appropriate)
6. Document findings comprehensively

Disposition options:

• Clear alert: Legitimate transaction with reasonable explanation (document why)
• Escalate to SAR: Suspicious activity requiring regulatory report
• Request additional information: Need more data before deciding

Service level targets:

• High-priority alerts: Investigate within 24 hours
• Standard alerts: Investigate within 5 business days

Pro Tip: Create investigation templates with standard questions so analysts don't miss critical details. Include fields for "business purpose," "source of funds," and "relationship to client."

Step 5: Establish SAR Filing Procedures

If an investigation reveals suspicious activity, your firm must file a SAR with FinCEN.

SAR filing criteria: A SAR is required when you know, suspect, or have reason to suspect:

• Transaction involves funds from illegal activity
• Transaction is designed to evade BSA requirements (e.g., structuring)
• Transaction has no business or lawful purpose
• Transaction involves $5,000 or more (individual or aggregate)

SAR filing process:

1. Escalate case to AML Compliance Officer
2. Compile investigation documentation
3. Complete FinCEN SAR form via BSA E-Filing System
4. Include detailed narrative (who, what, when, where, why)
5. File within 30 calendar days of detecting suspicious activity
6. Do NOT notify the client (tipping off is prohibited)
7. Maintain SAR records for 5 years

Common SAR triggers for RIAs:

• Client refuses to provide source of wealth documentation
• Multiple structuring patterns across accounts
• Wire to sanctioned individual or entity
• Redemption request immediately after negative news about client
• Unusual third-party payment with no investment rationale

What AI Compliance Tools Flag High-Risk Activities for RIAs?

AI-native transaction monitoring platforms combine traditional rule-based detection with machine learning to improve accuracy and reduce false positives.

How AI enhances RIA monitoring:

1. Behavioral anomaly detection The system establishes a baseline of "normal" for each client, then flags deviations:

• Client who contributes $100,000 quarterly for 3 years suddenly wires $500,000 → Alert
• Client with domestic-only transactions sends first international wire → Alert
• Redemption pattern changes from annual to weekly → Alert

2. Natural language processing AI reads unstructured data to identify risk:

• Scans client emails and correspondence for suspicious phrases
• Analyzes news articles for negative information about clients
• Reviews transaction memos for red-flag keywords

3. Network analysis Maps relationships between clients to detect collusion:

• Identifies circular fund flows between related accounts
• Detects shared bank accounts or addresses
• Flags unusual transaction timing patterns across multiple clients

4. Predictive false positive reduction Machine learning predicts which alerts are likely false positives based on historical investigation outcomes, allowing analysts to prioritize genuine threats.

Leading AI-powered AML platforms for RIAs:

Flagright offers rapid deployment (weeks, not months) with:

• No-code rule builder for custom scenarios
• Real-time risk scoring and alert generation
• Integrated AML case management and SAR workflow automation
• Pre-built RIA typologies based on industry best practices
• AI anomaly detection that learns client behavior patterns

Key advantage: Purpose-built for firms launching AML programs from scratch, with minimal IT requirements and fast time-to-compliance.

How Do I Integrate Transaction Monitoring with My Overall AML Program?

Transaction monitoring is one pillar of your complete AML/BSA framework. It must work seamlessly with other program elements.

The five pillars of RIA AML compliance:

1. Risk Assessment

• Purpose: Identify your firm's specific money laundering risks
• Connection to monitoring: Risk assessment findings determine which transaction scenarios to monitor and at what thresholds

2. Internal Controls (includes transaction monitoring)

• Purpose: Implement procedures to mitigate identified risks
• Connection to monitoring: Monitoring operationalizes your controls by detecting when risks materialize

3. Customer Due Diligence

• Purpose: Know your client's identity, business, and expected activity
• Connection to monitoring: CDD data feeds into alert investigations (is this transaction consistent with what we know?)

4. Independent Testing

• Purpose: Annual audit of AML program effectiveness
• Connection to monitoring: Auditors review alert investigation quality, SAR filing timeliness, and rule calibration

5. Training

• Purpose: Ensure staff can identify and report suspicious activity
• Connection to monitoring: Trained employees escalate red flags they observe before automated alerts fire

Data flow example:

1. Client onboarding → Risk scoring system assigns risk rating
2. Risk rating → Monitoring system applies appropriate alert thresholds
3. Transaction occurs → Monitoring system evaluates against rules
4. Alert fires → Case management system creates investigation case
5. Analyst investigates → References CDD file and watchlist screening
6. Suspicious activity confirmed → SAR filing workflow initiated
7. SAR filed → Risk assessment updated to reflect new threat pattern

Pro Tip: Use your monitoring alert outcomes to continuously improve your risk assessment. If you're filing SARs for a scenario not in your risk assessment, update it immediately.

What Are Common Transaction Monitoring Rules Examples for RIAs?

RIA-specific monitoring scenarios differ from bank scenarios because of the unique nature of investment advisory transactions.

12 Essential RIA Monitoring Rules:

1. Large Outbound Wire Transfer

• Trigger: Wire transfer ≥$50,000 to foreign bank account
• Detects: Capital flight, tax evasion, sanctions violations
• Risk-based adjustment: Lower threshold for high-risk clients ($20,000) or high-risk countries (any amount)

2. Structuring / Smurfing Pattern

• Trigger: 3+ transactions between $8,000-$9,999 within 30 days
• Detects: Attempts to evade $10,000 Currency Transaction Report threshold
• Risk-based adjustment: High-risk clients trigger at 2+ transactions or lower amounts ($5,000-$9,999)

3. Rapid Contribution-Redemption Cycle

• Trigger: Redemption within 30 days of contribution
• Detects: Layering scheme to obscure illicit fund origins
• Risk-based adjustment: Extend window to 90 days for hedge funds with lock-up periods

4. Third-Party Payment Request

• Trigger: Distribution payable to account not in client's name
• Detects: Payment to criminals, kickbacks, fraud
• Risk-based adjustment: Zero tolerance—all third-party payments require enhanced due diligence

5. High-Risk Geography Transaction

• Trigger: Any wire to/from FATF high-risk jurisdiction or OFAC sanctioned country
• Detects: Sanctions evasion, terrorist financing
• Risk-based adjustment: Immediate escalation regardless of amount

6. Dormant Account Reactivation

• Trigger: Transaction in account with no activity for 12+ months
• Detects: Account takeover, compromised credentials
• Risk-based adjustment: Lower threshold to 6 months for retail clients

7. Inconsistent Transaction Size

• Trigger: Single transaction >300% of client's historical average
• Detects: Unusual activity inconsistent with profile
• Risk-based adjustment: Calculate percentage against rolling 12-month average

8. Multiple Fee Payment Anomalies

• Trigger: Advisory fee payment >150% of normal quarterly amount
• Detects: Overpayment to facilitate kickback return
• Risk-based adjustment: Flag any fee paid from non-custodial account

9. Frequent Small Redemptions

• Trigger: 10+ redemptions under $5,000 within 90 days
• Detects: Structured withdrawals to avoid reporting
• Risk-based adjustment: For clients with assets <$100,000, lower threshold to 5 redemptions

10. Cross-Border Round-Tripping

• Trigger: Wire out to foreign account followed by wire back in within 14 days
• Detects: Layering, value transfer disguised as investment
• Risk-based adjustment: Flag if wires involve different beneficiaries

11. Politically Exposed Person (PEP) Activity

• Trigger: Any transaction by client identified as PEP exceeding $25,000
• Detects: Corruption proceeds, bribery, embezzlement
• Risk-based adjustment: Enhanced monitoring for PEPs from high-corruption countries

12. Sanctions Watchlist Hit

• Trigger: Transaction party name matches OFAC SDN list or similar watchlist
• Detects: Prohibited transactions with sanctioned entities
• Risk-based adjustment: Immediate freeze and escalation (zero tolerance)

Pro Tip: Test rules using historical transaction data before going live. Aim for 5-15 alerts per 1,000 transactions—too many indicates over-sensitive rules, too few means you're missing risks.

How Long Does It Take to Implement Transaction Monitoring for an RIA?

Typical implementation timeline: 8-16 weeks

Phase 1: Planning & Assessment (2-3 weeks)

• Conduct transaction risk assessment
• Inventory data sources (custodians, administrators)
• Define initial monitoring scenarios
• Select technology vendor

Phase 2: System Configuration (3-4 weeks)

• Set up data feeds from custodians
• Configure monitoring rules and thresholds
• Build investigation workflows
• Create SAR filing procedures

Phase 3: Testing & Calibration (2-3 weeks)

• Back-test rules on historical transactions
• Adjust thresholds to optimize alert volume
• Train compliance staff on investigation procedures
• Conduct end-to-end workflow testing

Phase 4: Go-Live & Monitoring (1 week)

• Deploy system in production
• Monitor initial alert generation
• Fine-tune based on early results

Phase 5: Ongoing Optimization (continuous)

• Monthly review of alert investigation outcomes
• Quarterly threshold adjustments
• Annual independent testing

Fast-track option: Cloud-based, pre-configured solutions like Flagright can compress implementation to 4-6 weeks by providing:

• Out-of-the-box RIA rule templates
• Standard integrations with major custodians
• Automated data mapping
• Pre-built SAR workflows

Pro Tip: Start monitoring 6-12 months before the January 2028 deadline to identify and resolve issues while you still have time to adjust.

What Are Best Practices for Reducing False Positive Alerts?

False positives waste resources and cause alert fatigue. High-performing RIA monitoring programs achieve 20-30% true positive rates (meaning 1 in 4 alerts requires SAR filing or escalation).

Seven strategies to reduce false positives:

1. Use risk-based thresholds Don't apply one-size-fits-all limits. A $100,000 wire is routine for a billionaire family office but suspicious for a $200,000 account.

2. Incorporate client context Configure rules to consider:

• Investment strategy (day trader vs. buy-and-hold)
• Account age (new accounts are riskier)
• Client type (institutional vs. retail)
• Historical transaction patterns

3. Whitelist known legitimate activities Exclude pre-approved transaction types:

• Scheduled quarterly advisory fee payments or remittances
• Regular rebalancing transactions
• Documented standing instructions

4. Tune thresholds based on investigation outcomes If 95% of "large wire" alerts clear as legitimate:

• Increase the threshold amount
• Add additional criteria (e.g., must ALSO be to high-risk country)

5. Leverage AI for smarter alerting Machine learning reduces false positives by 40-60% by understanding:

• Seasonal patterns (tax season redemptions)
• Client life events (inheritance, divorce settlements)
• Market-driven activity (rebalancing after volatility)

6. Create alert severity tiers Not all alerts require immediate investigation:

• Critical: OFAC match, sanctioned country (investigate within 4 hours)
• High: Structuring pattern, large foreign wire (24 hours)
• Medium: Unusual transaction size (3 days)
• Low: Minor threshold exceedance (5 days)

7. Document exclusions and tuning decisions Keep detailed records showing:

• Why certain thresholds were chosen
• Which legitimate activities are excluded
• How rules were adjusted based on performance data

Pro Tip: Track your alert-to-SAR conversion rate monthly. If it's below 5%, your rules are too sensitive. Above 40% means you're missing risks.

Frequently Asked Questions

What is the FinCEN AML rule for RIAs?

FinCEN AML rule mandates that Registered Investment Advisers (RIAs) implement comprehensive, risk-based AML/CFT programs by January 1, 2028. This includes transaction monitoring, customer due diligence, SAR filing, and recordkeeping—obligations previously limited to banks and broker-dealers.

Do small RIAs need transaction monitoring systems?

Yes. The rule applies to all SEC-registered investment advisers regardless of assets under management. Smaller firms can use simpler, cost-effective solutions, but manual-only monitoring is insufficient for BSA compliance.

How much does RIA transaction monitoring software cost?

Pricing varies widely. Basic cloud solutions start at $5,000-$15,000 annually for small RIAs. Mid-market platforms range from $25,000-$75,000. Enterprise systems for large RIAs can exceed $150,000 annually. Most vendors offer tiered pricing based on client count or transaction volume.

Can I rely on my custodian's transaction monitoring?

No. FinCEN explicitly states RIAs cannot outsource their monitoring obligation to custodians. While custodians monitor for their own compliance, RIAs must independently review transactions because they have unique knowledge of client investment objectives and profiles.

What happens if I don't file a required SAR?

Failure to file SARs is a serious BSA violation. Penalties include civil fines up to $100,000 per violation, criminal prosecution for willful violations, SEC enforcement actions, and potential loss of registration. The SEC has brought numerous enforcement cases against broker-dealers for SAR filing failures.

How often should I review and update monitoring rules?

At minimum, annually as part of your AML program independent testing. Best practice is quarterly threshold reviews and immediate updates when:

• Your risk assessment changes
• New money laundering typologies emerge
• Alert investigation trends reveal rule gaps
• Your business model or client base evolves

What's the difference between rules-based and AI-based monitoring?

Rules-based monitoring flags transactions matching specific criteria (e.g., "wire >$50K to foreign account"). AI-based monitoring uses machine learning to detect anomalies by learning normal patterns. Most effective systems combine both: rules catch known red flags, AI catches novel suspicious patterns rules didn't anticipate.

Do I need to monitor transactions in accounts held away from my custodian?

Yes, if you have discretionary authority or provide advice regarding those assets. Your monitoring scope should cover all client assets you advise on or manage, regardless of where they're custody. Obtain transaction feeds from all custodians.

What documentation do I need for SEC examinations?

SEC examiners will review:

• Written AML policies and procedures including monitoring criteria
• Risk assessment documenting why you chose specific scenarios and thresholds
• Alert investigation files with analysis and disposition rationale
• SAR filing decisions (both filed and declined)
• System testing and tuning records
• Training materials and attendance records
• Independent testing reports

Can I use the same monitoring rules as broker-dealers?

You can use broker-dealer rules as a starting point, but must customize for RIA-specific transactions. RIAs see different patterns: less cash handling, larger transaction sizes, more wire transfers, fund subscriptions/redemptions instead of securities trades. Your rules must reflect your actual business model.

Actionable Tips for RIA Transaction Monitoring Success

Start Early Don't wait until 2027 to begin implementation. Build your monitoring program now to identify gaps and refine workflows before the deadline.

Prioritize Data Quality Garbage in, garbage out. Ensure custodial transaction feeds are complete, accurate, and timely. Missing data means missed red flags.

Document Everything SEC examiners focus on audit trails. Document why you configured each rule, how you investigated each alert, and the rationale for every SAR decision (file or don't file).

Calibrate Thresholds Continuously Your first rule settings won't be perfect. Review alert outcomes monthly and adjust thresholds to optimize detection without drowning in false positives.

Train Your Team Compliance staff need to understand money laundering typologies specific to investment advisers. Portfolio managers and client-facing staff should know what red flags to escalate.

Test With Historical Data Before going live, run rules against 6-12 months of past transactions. This reveals whether thresholds are appropriate and helps staff practice investigations.

Integrate With Risk Scoring Link monitoring to your client risk assessment. High-risk clients should automatically trigger more sensitive alerts without manual override.

Build SAR Workflows Early Don't wait for your first suspicious alert to figure out SAR filing procedures. Create templates, assign responsibilities, and practice with mock scenarios.

Choose Scalable Technology Select a system that grows with your firm. What works for 50 clients won't work for 500. Cloud-based solutions with flexible pricing are ideal for growth.

Consider Independent Validation Before the 2028 deadline, have an AML consultant or auditor review your monitoring program design to identify weaknesses the SEC might flag.

Conclusion

Transaction monitoring is the operational core of RIA anti-money laundering compliance under FinCEN's 2028 rule. While the requirement is new for investment advisers, the expectation is clear: RIAs must detect and report suspicious activity with the same rigor as banks and broker-dealers.

Success requires three elements: (1) well-designed monitoring rules calibrated to your specific risk profile, (2) efficient technology that automates detection and investigation workflows, and (3) trained staff who understand both money laundering patterns and your clients' legitimate investment activities.

The firms that will thrive are those treating this not as a compliance burden but as an operational capability that protects their business, clients, and reputation. Many RIAs are now shopping for AML compliance software to help meet the 2028 requirements—your RIA can demonstrate regulatory leadership while safeguarding against the reputational and financial risks of being exploited for money laundering.

Conduct your transaction risk assessment this quarter, evaluate monitoring technology solutions, and begin building the policies and procedures that will form your compliant AML transaction monitoring software. The deadline is closer than it appears.

Schedule a demo with Flagright to see how AI-powered monitoring can streamline your RIA's FinCEN compliance journey.