Compliance with India’s AML framework does not end at onboarding. The Prevention of Money Laundering Act and the RBI’s KYC Master Directions establish continuous obligations β transaction monitoring, suspicious activity identification, Cash Transaction Reporting, and Suspicious Transaction Reporting to FIU-IND β that apply throughout every customer relationship. For fintechs and NBFCs that have invested in robust onboarding verification, the ongoing monitoring dimension is often underbuilt: the checks that happen at account opening are solid, but the continuous surveillance programme is fragmented, rule-light, or so alert-heavy that it generates more noise than signal. This guide addresses what an effective ongoing AML monitoring programme looks like for India-regulated entities.
Table of Contents
- The Ongoing Monitoring Obligation Under PMLA
- Transaction Monitoring: Rule Design for Indian Typologies
- Cash Transaction Reports: Thresholds, Format, and Filing
- Suspicious Transaction Identification: From Alert to Suspicion
- Filing STRs with FIU-IND: Requirements and Common Errors
- Technology for Ongoing Monitoring: What the Market Offers
- Key Takeaways
- Frequently Asked Questions
- Conclusion
The Ongoing Monitoring Obligation Under PMLA
Section 12 of PMLA requires Reporting Entities to maintain records of all transactions, monitor customer accounts for suspicious activity, and file reports with FIU-IND. The ongoing monitoring obligation is not satisfied by a periodic review β it requires continuous monitoring of transactions as they occur, with the capability to identify anomalies and escalate them for review within the timelines mandated by the Act.
For NBFCs, the practical scope of ongoing monitoring depends on their product mix. A term lender with few transactions per borrower per month has a different monitoring challenge from a payment aggregator processing thousands of merchant transactions per day. The underlying obligation is the same β monitor for suspicious activity and report it β but the volume and velocity of transactions shapes the technology and operational design required.
FIU-IND has increased its focus on the quality of ongoing monitoring programmes in recent years, beyond checking that reporting entities have filed CTRs and STRs. Inspection focus now includes: whether the transaction monitoring rules are calibrated to the RE’s specific business and customer profile; whether the alert review process is documented and conducted by appropriately authorised staff; and whether STR filing decisions are made with proper documentation of the reasoning, whether filing or not filing.
Transaction Monitoring: Rule Design for Indian Typologies
Transaction monitoring rules are the logic that converts raw transaction data into alerts for human review. Rule design is consequential: poorly designed rules generate either too few alerts (missing genuine suspicious activity) or too many (creating alert fatigue that causes genuine alerts to be missed). PMLA typologies specific to the Indian context should inform rule design.
Key typologies for Indian financial services that should be reflected in monitoring rules: structuring β multiple cash transactions below βΉ10 lakh in a short period, designed to avoid the CTR reporting threshold; rapid layering through UPI or IMPS β mule network behaviour, often in equal amounts, consistent with mule network behaviour; account dormancy followed by high-volume activity β accounts that have had no or minimal activity for months suddenly experiencing a spike; unusual beneficiary patterns β transfers to a large number of first-time recipients within a short period; and trade-based anomalies for entities with export or import exposure (invoice value significantly inconsistent with market rates for the described goods).
Rule calibration requires baseline data: what is the normal transaction pattern for a customer in this risk tier, product category, and demographic profile? A rule that fires when a transaction is three standard deviations above a customer’s baseline is more precise than one that fires when a transaction exceeds an absolute threshold. Statistical baselining requires historical transaction data and a model development cycle that is not instantaneous.
Cash Transaction Reports: Thresholds, Format, and Filing
Cash Transaction Reports (CTRs) must be filed with FIU-IND for all cash transactions above βΉ10 lakh in a calendar month, whether as a single transaction or as multiple transactions that aggregate above the threshold. The filing must occur within fifteen days of the end of the month in which the threshold was crossed, through the FINnet 2.0 portal.
A common implementation error is monitoring only for individual transactions above βΉ10 lakh, without transaction aggregation logic across the month. An account that receives nine cash deposits of βΉ1.2 lakh each in a month has crossed the CTR threshold β the aggregation logic must operate at the account level across the reporting period, not just at the individual transaction level.
CTR filing is a mechanical compliance requirement β it does not require suspicion, only the crossing of the threshold. However, an account that is consistently generating CTR filings β particularly in patterns that suggest structuring β should also be generating STR consideration. The CTR and STR workflows should be connected, not isolated.
Suspicious Transaction Identification: From Alert to Suspicion
The chain from transaction monitoring alert to STR filing involves several steps, each requiring documentation. Step one: The alert is generated by the transaction monitoring system. Step two: the alert is reviewed by a designated analyst, who assesses whether the transaction activity is explained by the customer’s known profile and declared business. Step three: if the analyst cannot satisfactorily explain the activity, the case is escalated to the Principal Officer (the designated PMLA compliance officer). Step four: the Principal Officer determines whether a suspicion exists β defined in PMLA as a reasonable ground to believe, not certainty β and makes the STR filing decision.
The documentation at each step is as important as the decision. FIU-IND inspections examine whether: alerts were reviewed within a defined SLA; review decisions (file/not file) were made by appropriately authorised staff; the reasoning for not filing was documented (not just the decision to file); and the overall alert-to-STR ratio is plausible for the RE’s business profile and risk environment. An RE that reviews hundreds of alerts per month and never files an STR is likely to draw regulatory scrutiny.
Filing STRs with FIU-IND: Requirements and Common Errors
STRs must be filed through the FINnet 2.0 portal within seven working days of the formation of suspicion. The STR format requires: the reporting entity’s details, the customer’s details (identity, account information, KYC reference), the transaction details (date, amount, type, counterparties), a narrative description of the suspicious activity and the basis of suspicion, and details of any internal investigation steps taken.
Common STR filing errors include: filing beyond the seven-day window (the most frequent compliance failure, typically caused by protracted internal review processes that delay the Principal Officer’s decision); incomplete counterparty information (failing to document all parties to the suspicious transaction, particularly in complex layering cases); vague narrative sections that do not clearly describe the basis of suspicion or the investigation steps taken; and failing to include all relevant account activity in the report, not just the triggering transaction.
The non-disclosure obligation is categorical: the existence of a filed STR cannot be disclosed to the customer or any third party, other than to law enforcement pursuant to a lawful order or to PMLA-authorised sharing arrangements. Inadvertent disclosure β through account actions that the customer might infer are linked to a report β is also restricted.
Technology for Ongoing Monitoring: What the Market Offers
The technology landscape for AML ongoing monitoring in India includes global platforms designed for multinational banks (NICE Actimize, Oracle FCCM, SAS AML), which are powerful but often over-engineered and over-priced for smaller NBFCs and fintechs; regional platforms with India-specific regulatory alignment (CTR thresholds in INR, FINnet filing integration, PMLA typology rule libraries); and API-driven monitoring services that provide transaction scoring and alert generation as a managed service, without requiring the organisation to build and maintain the underlying rule engine.
For growth-stage fintechs and mid-tier NBFCs, API-driven monitoring services offer the best cost-to-capability ratio: they provide professional-grade monitoring without the infrastructure investment of enterprise AML platforms. The key evaluation criteria are: India-specific typology coverage, FINnet integration for STR filing, CTR aggregation logic, and alert quality (false positive rates and calibration transparency).
Compliance Programme Governance: Beyond the Technology
AML technology β transaction monitoring systems, screening platforms, case management tools β is the infrastructure on which a compliance programme operates. But technology alone does not constitute a compliance programme. FIU-IND and RBI inspections consistently find that institutions with adequate technology but inadequate governance fail compliance reviews as often as those with technology gaps.
The governance elements that determine programme effectiveness are: clear ownership of the compliance function at the Board and senior management level, with AML compliance explicitly on the Board’s risk oversight agenda; adequate resourcing of the compliance team β both in headcount and in the technical skills required to manage and calibrate a modern monitoring system; documented policies and procedures that are reviewed and updated at least annually and whenever regulatory requirements change; compliance training who interact with customers or process transactions, not just the compliance team; and a culture of compliance that makes raising concerns about unusual customer or transaction activity comfortable and expected.
The Board’s role in AML compliance governance is substantive, not ceremonial. The Board is expected to review the Chief Compliance Officer’s periodic reports on compliance programme performance β including metrics on alert volumes, STR filing rates, false positive ratios, and training completion β and to take action when the programme is not performing to the required standard. A Board that approves AML policies annually without engaging with the operational performance of the programme is not meeting its governance responsibility under the PMLA framework.
Key Takeaways
- Ongoing AML monitoring under PMLA is a continuous obligation β transaction monitoring, CTR filing, and STR consideration must operate throughout the customer relationship, not just at onboarding.
- CTR aggregation must operate at the account level across the month β nine transactions of βΉ1.2 lakh each trigger the same filing obligation as a single βΉ10.8 lakh transaction.
- The alert-to-STR documentation chain β generation, analyst review, Principal Officer decision, filing rationale β must be fully documented; the reasoning for not filing is as important as the decision to file.
- STRs must be filed within seven working days of forming a suspicion β protracted internal review processes are the most common cause of late filing.
- For mid-tier NBFCs and fintechs, API-driven monitoring services offer professional-grade monitoring capability without the infrastructure investment of enterprise AML platforms.
Frequently Asked Questions
Q: What is the CTR threshold in India and when must it be filed?
Cash Transaction Reports must be filed with FIU-IND for all cash transactions aggregating above βΉ10 lakh in a calendar month. Filing must occur within fifteen days of month-end through the FINnet 2.0 portal. The threshold applies to aggregated cash transactions across the month, not only to individual transactions exceeding βΉ10 lakh β multiple smaller cash transactions that cumulatively cross the threshold also require filing.
Q: What is an STR and when does it need to be filed in India?
A Suspicious Transaction Report (STR) is filed with FIU-IND when a Reporting Entity’s Principal Officer has a reasonable ground to suspect that a transaction involves money laundering or terrorist financing proceeds. The filing deadline is seven working days from the formation of suspicion β not from the transaction date. STRs must not be disclosed to the customer or to third parties other than pursuant to a lawful order.
Q: How do you calibrate transaction monitoring rules to reduce false positives?
Calibration involves: using statistical baselining (customer transaction history as the reference rather than absolute thresholds alone), supplementing rule-based alerts with risk-tier context (a βΉ5 lakh transfer from a high-value individual is lower risk than the same from a basic savings account), and reviewing alert-to-review-to-file ratios periodically to identify rules generating disproportionate false positives. Regular calibration cycles β quarterly at minimum β are best practice.
Conclusion
The AML monitoring programmes that consistently satisfy FIU-IND expectations and catch genuine financial crime are not those with the most rules or the highest alert volumes β they are those with the most thoughtful rule design, the most disciplined review workflows, and the most rigorous documentation of every decision in the alert-to-filing chain. The quality of the programme is determined by how well it converts transaction data into genuine risk intelligence β not by the sophistication of the technology alone.
