AML / BSA Transaction Monitoring Data Field Checklist

Two distinct fields. Source of funds is the origin of the deposit at opening (salary, inheritance, business sale). Source of wealth is the lifetime narrative. Monitoring rules need both to evaluate whether observed activity matches expected.

Documented expected transaction volume, value, and counterparty mix at opening. Without this baseline, every alert is 'unusual vs. statistical population' instead of 'unusual vs. this customer's stated expectations.'

Customer risk rating (low / medium / high) with the specific factors driving it (geography, occupation, product, PEP status) and a versioned trail of rating changes. High-risk customers get a tighter monitoring threshold.

Per OFAC and FinCEN guidance, screening status with refresh date for politically-exposed persons, sanctions matches, and adverse-media hits. Stale screens (>quarterly) are an exam finding.

Both sides of every transaction with sufficient identification — for wires per Travel Rule, name + account + address. Same-account transfers within the household graph still need both sides.

Categorical tag for the counterparty type (retail payee, wholesale, retail-business-merchant, P2P payment, crypto exchange, money services business). MSB and crypto-exchange counterparties are typology-relevant.

For each transaction, the funding source (cash deposit, ACH from external account, wire, internal transfer) and destination type. Cash + structuring-amount + retail-payee is the canonical structuring signal.

Country fields for all three parties. High-risk-jurisdiction routing (per FATF + OFAC) is the canonical layering signal.

Documented relationship graph between customers — joint accounts, beneficial owners of the same entity, shared address, shared SSN. Structuring detection that misses cross-customer aggregation misses the most common evasion pattern.

Customer activity rolled up across deposit accounts, brokerage accounts, lending products, and payment products. Layering that crosses product boundaries within the institution is invisible to product-siloed monitoring.

For entity accounts, the chain from the legal-entity account through to the natural-person beneficial owners (FinCEN CDD rule). Activity must roll up to the natural person for typology evaluation.

Per FinCEN Advisory FIN-2014-A005, indicators include multiple sub-CTR-threshold cash deposits in short windows, deposits across multiple branches, and deposits split between related accounts. Each indicator should be a field, not derived ad-hoc by analysts.

Per FFIEC, deposits from many sources followed by quick wire-out to a single beneficiary. Detecting requires lookback aggregation across deposit sources.

Funds in / funds out within hours-to-days with little or no apparent business purpose. Common in trade-based money laundering and crypto-related layering.

Aggregate activity that materially exceeds the documented expected profile. Without the expected profile from the customer-profile section, this signal can't fire.

Every alert generated by the monitoring system has a disposition (closed-no-action / closed-with-monitoring / SAR-filed / SAR-considered-not-filed) with a documented rationale. 'No-action' alerts must show the analyst's reasoning.

Per BSA, SAR filings with timestamp, narrative, and continuation-SAR flags for ongoing activity. Continuation SARs filed every 90 days for ongoing patterns.

For SAR-filed alerts, link to the investigation case file with the supporting transaction list, customer interaction log, and reviewer chain. The case file is the artifact regulators request first.