Unusual Activity
What is unusual activity?
Unusual activity refers to customer behaviour or transactions that deviate from the customer's established pattern — or from what is expected for similar customers — and therefore warrant further review. Sudden large transfers, transactions inconsistent with the customer's stated occupation, dealings with high-risk jurisdictions, and rapid bursts of activity in a previously dormant account are all classic examples.
Importantly, unusual activity is not the same as suspicious activity. Unusual activity is a signal that warrants investigation; suspicious activity is the conclusion that there is reasonable basis to suspect money laundering, terrorist financing, or a predicate offence — which typically triggers a regulatory filing.
Why unusual activity matters
Unusual activity is the upstream signal for almost every AML investigation. Most SARs and STRs originate as an unusual-activity alert that an analyst investigates and either dispositions away or escalates.
The quality of an institution's unusual-activity detection — the breadth of scenarios, the calibration of thresholds, the depth of analyst investigation — directly determines the quality of its SAR/STR output. Weak detection produces missed filings; over-tuned detection produces noise. Our wider AML compliance complete guide and five pillars of an AML programme writeup set out how unusual-activity detection sits inside the broader framework.
What counts as unusual?
The definition is intentionally context-dependent. What is unusual for one customer may be entirely routine for another.
Common patterns that institutions flag as unusual include sudden large cash deposits inconsistent with the customer's stated income or business; frequent transactions just below the CTR or other reporting threshold (a classic structuring signal); cross-border wires to or from high-risk jurisdictions without clear economic rationale; rapid movement of funds through multiple accounts followed by immediate withdrawal; and a long-dormant account that suddenly generates high-volume or high-value activity.
Further patterns include transactions inconsistent with the customer's occupation, age, or stated purpose; multiple new beneficiaries added in rapid succession on a personal account; round-tripping — funds returning to the originator after passing through intermediaries; use of complex corporate structures with limited beneficial-ownership transparency; and transactions that match known money-laundering typologies the institution has catalogued. Most real-world cases combine several signals rather than presenting as a single clean indicator.
Unusual activity vs suspicious activity
The two concepts often run together in everyday usage, but they sit at different points in the AML investigation lifecycle.
| Aspect | Unusual Activity | Suspicious Activity |
|---|---|---|
| What it is | A signal that warrants investigation | A conclusion that suspicion is warranted |
| Detection | Transaction monitoring, frontline observation, screening | The outcome of investigating unusual activity (or direct intelligence) |
| Action | Internal investigation, escalation, Unusual Activity Referral (UAR) | Regulatory filing — SAR (US, Canada, India) or STR (EU, UK, UAE, APAC) |
| Reporting | Internal only | Mandatory external filing to the FIU |
| Customer disclosure | No general prohibition (unless tipping-off applies) | Strict tipping-off prohibitions |
Most unusual activity is investigated and dispositioned away as innocent — a customer with a new job, a one-off large purchase, a verified business pivot. Only the subset that survives investigation becomes suspicious activity requiring formal filing.
How unusual activity is detected
Modern AML programmes use three layered detection methods that complement each other.
Automated transaction monitoring
Transaction monitoring systems run rules and scenarios across every customer's activity in near real time, generating alerts when behaviour breaches a defined threshold or matches a typology pattern. Modern systems combine rule-based detection with machine-learning models that identify deviations from each customer's individual behavioural baseline — see our transaction monitoring primer for the detection-layer detail.
Frontline and customer-facing detection
Branch staff, relationship managers, agent networks, and customer-service teams observe customer behaviour in person — and frequently spot unusual signals that automated systems miss. Trained frontline staff are one of the most consistently underrated AML detection resources.
External referrals
Law-enforcement requests under information-sharing frameworks like USA PATRIOT Act Section 314, counterparty notifications, regulator inquiries, and adverse-media flags all surface activity that warrants institutional review.
What is an Unusual Activity Referral (UAR)?
Some institutions use the term Unusual Activity Referral (UAR) to describe the internal escalation that occurs when an analyst, frontline employee, or system raises a case for further investigation but has not yet reached the threshold for a SAR/STR. A UAR is an internal compliance artefact — not a regulatory filing — and forms part of the institution's case-management trail.
UARs are particularly common in payment institutions, fintechs, and other firms that operate tiered escalation models. Many UARs are dispositioned away after investigation; the subset that survives becomes a formal SAR/STR.
Investigating unusual activity
When unusual activity is detected, the analyst follows a structured investigation workflow. The analyst reviews the customer's profile, KYC data, recent transaction history, screening results, beneficial-ownership data, and any prior alerts.
The analyst then compares the observed activity against the customer's expected behaviour, the typology library, and the institution's risk policies. If the activity has a plausible legitimate explanation — verified with the customer through outreach where appropriate — the case is dispositioned and closed. If suspicion crystallises, the case is escalated to the MLRO for SAR/STR decisioning, supported by outputs from AML screening and the wider monitoring stack.
Tipping-off considerations
Customer outreach during investigation must be handled carefully. Direct questions about why a transaction was made are acceptable in many contexts; references to alerts, compliance triggers, or regulatory filings are not. Where the analyst's investigation moves towards a SAR/STR conclusion, tipping-off prohibitions apply with full force — see our sanctions screening AML guide for the broader investigative discipline.
Common failure patterns
Three failure patterns dominate regulatory findings on unusual-activity detection:
- Under-detection — too few scenarios in the monitoring library, thresholds tuned too loosely, weak frontline training, or alerts not generated for known typologies.
- Over-disposition — alerts generated and closed without genuine investigation, often driven by under-resourced compliance teams or commercial pressure.
- Investigation gaps — alerts investigated but conclusions undocumented, evidence not preserved, or escalation paths bypassed.
At a Glance
| Definition | Customer behaviour or transactions that deviate from expected patterns and warrant further review |
|---|---|
| Common detection sources | Transaction monitoring systems, frontline staff, customer screening, external referrals |
| Typical outcomes | Internal investigation, escalation, Unusual Activity Referral (UAR), or Suspicious Activity Report (SAR/STR) |
| Distinct from | Suspicious activity (where suspicion has crystallised and reporting may be mandatory) |
| Related concepts | SAR/STR, Typology, Transaction Monitoring, Red Flags, CTR |
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Transaction Monitoring
Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.
AML Screening
Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.
Database Verification
Instantly verify user information by connecting to trusted databases across jurisdictions for accurate, compliant, and faster onboarding.
Related Terms
FAQ
What is unusual activity in AML?
Unusual activity is customer behaviour or transactions that deviate from the customer's established pattern or from what is expected for similar customers — and therefore warrant further review. It is the upstream signal for almost every AML investigation and the most common origin point for Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs).
What is the difference between unusual activity and suspicious activity?
Unusual activity is a signal that warrants investigation. Suspicious activity is the conclusion — reached after investigation — that there is reasonable basis to suspect money laundering, terrorist financing, or a predicate offence. Unusual activity triggers internal review; suspicious activity triggers a mandatory regulatory filing with the relevant Financial Intelligence Unit.
What are some examples of unusual activity?
Common examples include sudden large cash deposits inconsistent with the customer's stated income, frequent transactions just below reporting thresholds (structuring), cross-border wires to high-risk jurisdictions without clear rationale, sudden activity in a dormant account, rapid movement of funds through multiple accounts, and use of complex corporate structures with limited beneficial-ownership transparency.
What is an Unusual Activity Referral (UAR)?
An Unusual Activity Referral (UAR) is the internal escalation that occurs when an analyst, frontline employee, or system raises a case for further investigation but has not yet reached the threshold for a SAR or STR. UARs are internal compliance artefacts — not regulatory filings — and form part of the institution's case-management trail.
Does unusual activity always lead to a SAR or STR?
No. Most unusual activity is investigated and dispositioned away as innocent — a customer with a new job, a verified business pivot, a one-off legitimate purchase. Only the subset that survives investigation and reaches the threshold of reasonable suspicion of money laundering, terrorist financing, or a predicate offence becomes a SAR or STR.