Transaction monitoring and suspicious operation detection: methodology for Belgian regulated entities
Article 35 of the Belgian Act of 18 September 2017 requires ongoing monitoring. Full methodology to detect suspicious operations: red flags by typology, alert thresholds, scenarios to model, internal escalation and link with CTIF reporting.
In brief
Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions to conduct ongoing monitoring of business relationships. An effective framework rests on three pillars: profile-transaction consistency, formalized automatic rules, and modeled scenarios (smurfing, layering). Every alert must be analyzed through a 5-step process and documented in the decision log for 10 years.
The ongoing monitoring obligation
Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions to conduct constant monitoring of the business relationship. Concretely: what you know about the client at the time of initial KYC must remain consistent with what you observe afterward.
Detecting a suspicious operation is not waiting for a dubious transaction. It is a framework combining automatic rules, human judgement and traceability.
This article describes the monitoring methodology that meets Belgian requirements in 2026.
The 3 monitoring pillars
Pillar 1 — Profile-transaction consistency
At each significant operation, verify it fits the economic profile declared by the client at KYC. A Walloon SME with annual turnover of €200,000 suddenly receiving a €500,000 transfer from an unknown counterparty → inconsistency to investigate.
Pillar 2 — Rule-based detection
Implement predefined thresholds and patterns triggering an automatic alert:
- Amounts above thresholds (€10,000, €15,000, €100,000)
- Structuring (multiple transfers just under thresholds)
- Velocity (X transactions in Y hours)
- Geographic risk
- Listed counterparties (PEP, sanctions)
Pillar 3 — Scenario-based detection
Beyond simple rules, model realistic money-laundering scenarios:
- Smurfing (structuring)
- Layering (millefeuille of transfers)
- Trade-based laundering (over/under-invoicing)
- Cash-intensive cover (front business)
- Round-trip transactions
Red flag catalog by typology
Transactional red flags
- Structured operation: €9,500 Monday, €9,700 Tuesday, €9,800 Wednesday
- Operation without apparent economic logic (transit between linked accounts)
- Multi-bank payments without commercial justification
- Cash above legal thresholds
- Crypto-assets without prior declaration
- Round-trip: send then quick refund
Geographic red flags
- Flows to/from high-risk third countries (EU list)
- Counterparties in tax havens
- Countries under international sanctions (Russia, Iran, North Korea, Belarus...)
- Countries on the FATF list under monitoring or non-compliant
Behavioral red flags
- Client reluctant to provide additional info
- Refusal to show source of funds
- Sudden profile shift (×10 volume overnight)
- Multiple UBOs in short period
- Domiciliation with a little-known AML provider
Structural red flags
- Recently incorporated shell company
- UBO non-resident from opaque jurisdiction
- Multiple changing directors
- Too-broad or generic corporate purpose
- No website, phone, premises
Recommended alert thresholds
Default calibration, to adapt to your risk:
| Indicator | Low threshold | High threshold |
|---|---|---|
| Single cash amount | €3,000 | €10,000 |
| 7-day structuring | €8,000 | €15,000 |
| Monthly client cumulative | €30,000 | €100,000 |
| Velocity (tx/day) | 5 | 20 |
| Turnover variation | +50 % | +200 % |
| New partner countries | 1 | 3 |
Thresholds too low generate too many false positives (your team drowns). Too high → false negatives.
Alert analysis methodology
When an alert triggers, the AMLCO or delegate must follow a 5-step process:
Step 1 — Initial triage (24 hours)
- Check if the alert is an obvious false positive (bad calibration)
- If not obvious → open an analysis file
Step 2 — Context reconstruction (48 hours)
- Pull the client's last 30 operations
- Compare with the initial KYC profile
- Consult the recent UBO register
- Re-screen PEP / sanctions
Step 3 — Interaction with the client (per situation)
- Possible information request about the operation (without revealing the suspicion)
- Documented in writing, no trace left for the client
- ⚠️ Never mention a potential CTIF report (tipping-off prohibition)
Step 4 — Decision
- No suspicion: justify in writing, archive, close alert
- Confirmed suspicion: trigger the CTIF reporting procedure
- Borderline: second AMLCO read, management escalation
Step 5 — Archive and learn
- Every alert (reported or not) integrated into the decision log
- Monthly: trend analysis, threshold recalibration
Documentation to retain
Article 60 requires 10 years retention on:
- Generated alerts (whether or not they lead to a report)
- Internal analyses (dated, signed AMLCO note)
- Reasoned non-reporting decisions (frequently missing)
- Client exchanges (email, statement)
- Context pieces (BCE extracts, contemporaneous UBO register)
Frequent mistakes
How Company Belgium integrates monitoring
The Company Belgium monitoring module rests on the 3 pillars:
- Automatic profile-transaction monitoring on every client file via BCE and UBO feeds (consistency of directors, corporate purpose, capital)
- Parameterizable rules: thresholds per client, per risk category, per geography
- Pre-modeled scenarios: smurfing, layering, round-trip, trade-based — activate in a few clicks
- Assisted triage: false positives flagged, continuous calibration
- Decision log: alerts, analyses, reasoned non-reports tracked 10 years
- Direct link with the CTIF reporting module (goAML generation in 1 click)
- AMLCO dashboard: indicators, trends, measured alert fatigue
See also: risk assessment methodology, the full KYC file and the 2026 checklist.
Bottom line
Ongoing monitoring is not optional: it is Article 35 of the Act of 18/09/2017. Three mandatory pillars: profile-transaction consistency, automatic rules, modeled scenarios. All framed by a 5-step analysis process and a 10-year decision log.
The ultimate test: an SPF Economie inspector asks for your latest monthly alerts report, the reasoned non-reports of the last 3 months, and the current rule calibration. If you can deliver in 15 minutes, your framework stands.
Frequently asked questions
What ongoing monitoring obligation applies to Belgian regulated entities ?
Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions (domiciliation centers, fiduciaries, notaries, lawyers, etc.) to conduct constant monitoring of the business relationship. Information gathered at initial KYC must remain consistent with operations observed over time. In 2026, SPF Economie systematically checks for a formalized framework with written rules and a decision log.
What are the main transactional red flags to monitor in Belgium ?
The most frequent red flags are payment structuring (multiple transfers just under legal thresholds), operations with no apparent economic logic, flows to high-risk countries per the EU list, PEP or sanctioned counterparties, and sudden volume shifts. A turnover change of more than 200 % in one month is also a strong signal requiring investigation.
How do you calibrate AML alert thresholds without generating too many false positives ?
Calibration must be adapted to each client's risk profile: a single threshold for all either generates too many alerts (team paralysis) or too few (false sense of security). Best practice is to define two levels per indicator (low and high threshold) and review calibration monthly by analyzing the false positive to true positive ratio. Company Belgium offers parameterizable rules per client and per risk category.
How long must alerts and non-reporting decisions be retained ?
Article 60 of the Act of 18 September 2017 requires 10-year retention for all generated alerts, whether or not they led to a CTIF report. Dated AMLCO notes, reasoned non-reporting decisions and client exchanges must also be archived for this period. The absence of a reasoned non-reporting log is the number one finding during SPF Economie inspections.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
