CompanyBelgium

Transaction monitoring and suspicious operation detection: methodology for Belgian regulated entities

Article 35 of the Belgian Act of 18 September 2017 requires ongoing monitoring. Full methodology to detect suspicious operations: red flags by typology, alert thresholds, scenarios to model, internal escalation and link with CTIF reporting.

March 24, 202612 min read

In brief

Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions to conduct ongoing monitoring of business relationships. An effective framework rests on three pillars: profile-transaction consistency, formalized automatic rules, and modeled scenarios (smurfing, layering). Every alert must be analyzed through a 5-step process and documented in the decision log for 10 years.

The ongoing monitoring obligation

Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions to conduct constant monitoring of the business relationship. Concretely: what you know about the client at the time of initial KYC must remain consistent with what you observe afterward.

Detecting a suspicious operation is not waiting for a dubious transaction. It is a framework combining automatic rules, human judgement and traceability.

This article describes the monitoring methodology that meets Belgian requirements in 2026.

The 3 monitoring pillars

Pillar 1 — Profile-transaction consistency

At each significant operation, verify it fits the economic profile declared by the client at KYC. A Walloon SME with annual turnover of €200,000 suddenly receiving a €500,000 transfer from an unknown counterparty → inconsistency to investigate.

Pillar 2 — Rule-based detection

Implement predefined thresholds and patterns triggering an automatic alert:

  • Amounts above thresholds (€10,000, €15,000, €100,000)
  • Structuring (multiple transfers just under thresholds)
  • Velocity (X transactions in Y hours)
  • Geographic risk
  • Listed counterparties (PEP, sanctions)

Pillar 3 — Scenario-based detection

Beyond simple rules, model realistic money-laundering scenarios:

  • Smurfing (structuring)
  • Layering (millefeuille of transfers)
  • Trade-based laundering (over/under-invoicing)
  • Cash-intensive cover (front business)
  • Round-trip transactions

Red flag catalog by typology

Transactional red flags

  • Structured operation: €9,500 Monday, €9,700 Tuesday, €9,800 Wednesday
  • Operation without apparent economic logic (transit between linked accounts)
  • Multi-bank payments without commercial justification
  • Cash above legal thresholds
  • Crypto-assets without prior declaration
  • Round-trip: send then quick refund

Geographic red flags

  • Flows to/from high-risk third countries (EU list)
  • Counterparties in tax havens
  • Countries under international sanctions (Russia, Iran, North Korea, Belarus...)
  • Countries on the FATF list under monitoring or non-compliant

Behavioral red flags

  • Client reluctant to provide additional info
  • Refusal to show source of funds
  • Sudden profile shift (×10 volume overnight)
  • Multiple UBOs in short period
  • Domiciliation with a little-known AML provider

Structural red flags

  • Recently incorporated shell company
  • UBO non-resident from opaque jurisdiction
  • Multiple changing directors
  • Too-broad or generic corporate purpose
  • No website, phone, premises

Default calibration, to adapt to your risk:

IndicatorLow thresholdHigh threshold
Single cash amount€3,000€10,000
7-day structuring€8,000€15,000
Monthly client cumulative€30,000€100,000
Velocity (tx/day)520
Turnover variation+50 %+200 %
New partner countries13

Thresholds too low generate too many false positives (your team drowns). Too high → false negatives.

Alert analysis methodology

When an alert triggers, the AMLCO or delegate must follow a 5-step process:

Step 1 — Initial triage (24 hours)

  • Check if the alert is an obvious false positive (bad calibration)
  • If not obvious → open an analysis file

Step 2 — Context reconstruction (48 hours)

  • Pull the client's last 30 operations
  • Compare with the initial KYC profile
  • Consult the recent UBO register
  • Re-screen PEP / sanctions

Step 3 — Interaction with the client (per situation)

  • Possible information request about the operation (without revealing the suspicion)
  • Documented in writing, no trace left for the client
  • ⚠️ Never mention a potential CTIF report (tipping-off prohibition)

Step 4 — Decision

  • No suspicion: justify in writing, archive, close alert
  • Borderline: second AMLCO read, management escalation

Step 5 — Archive and learn

  • Every alert (reported or not) integrated into the decision log
  • Monthly: trend analysis, threshold recalibration

Documentation to retain

Article 60 requires 10 years retention on:

  • Generated alerts (whether or not they lead to a report)
  • Internal analyses (dated, signed AMLCO note)
  • Reasoned non-reporting decisions (frequently missing)
  • Client exchanges (email, statement)
  • Context pieces (BCE extracts, contemporaneous UBO register)

Frequent mistakes

  • "Eyeballing" surveillance without formalized automatic rules → impossible to demonstrate in inspection
  • Identical thresholds regardless of client size
  • Alerts ignored through fatigue from poor calibration
  • No reasoned non-reporting log — finding #1
  • Too-direct info request to client → tipping-off
  • No monthly trend analysis
  • No second read on borderline cases
  • Mixing surveillance and CTIF reporting: two distinct frameworks
  • No rule update since last inspection
  • No continuing training on emerging typologies
  • How Company Belgium integrates monitoring

    The Company Belgium monitoring module rests on the 3 pillars:

    • Automatic profile-transaction monitoring on every client file via BCE and UBO feeds (consistency of directors, corporate purpose, capital)
    • Parameterizable rules: thresholds per client, per risk category, per geography
    • Pre-modeled scenarios: smurfing, layering, round-trip, trade-based — activate in a few clicks
    • Assisted triage: false positives flagged, continuous calibration
    • Decision log: alerts, analyses, reasoned non-reports tracked 10 years
    • AMLCO dashboard: indicators, trends, measured alert fatigue

    See also: risk assessment methodology, the full KYC file and the 2026 checklist.

    Bottom line

    Ongoing monitoring is not optional: it is Article 35 of the Act of 18/09/2017. Three mandatory pillars: profile-transaction consistency, automatic rules, modeled scenarios. All framed by a 5-step analysis process and a 10-year decision log.

    The ultimate test: an SPF Economie inspector asks for your latest monthly alerts report, the reasoned non-reports of the last 3 months, and the current rule calibration. If you can deliver in 15 minutes, your framework stands.

    Frequently asked questions

    What ongoing monitoring obligation applies to Belgian regulated entities ?

    Article 35 of the Belgian Act of 18 September 2017 requires all regulated professions (domiciliation centers, fiduciaries, notaries, lawyers, etc.) to conduct constant monitoring of the business relationship. Information gathered at initial KYC must remain consistent with operations observed over time. In 2026, SPF Economie systematically checks for a formalized framework with written rules and a decision log.

    What are the main transactional red flags to monitor in Belgium ?

    The most frequent red flags are payment structuring (multiple transfers just under legal thresholds), operations with no apparent economic logic, flows to high-risk countries per the EU list, PEP or sanctioned counterparties, and sudden volume shifts. A turnover change of more than 200 % in one month is also a strong signal requiring investigation.

    How do you calibrate AML alert thresholds without generating too many false positives ?

    Calibration must be adapted to each client's risk profile: a single threshold for all either generates too many alerts (team paralysis) or too few (false sense of security). Best practice is to define two levels per indicator (low and high threshold) and review calibration monthly by analyzing the false positive to true positive ratio. Company Belgium offers parameterizable rules per client and per risk category.

    How long must alerts and non-reporting decisions be retained ?

    Article 60 of the Act of 18 September 2017 requires 10-year retention for all generated alerts, whether or not they led to a CTIF report. Dated AMLCO notes, reasoned non-reporting decisions and client exchanges must also be archived for this period. The absence of a reasoned non-reporting log is the number one finding during SPF Economie inspections.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles

      AML transaction monitoring: detect suspicious operations Belgium | CompanyBelgium