Every bank has a transaction monitoring system. Most have hundreds of rules. Many have alert-to-SAR conversion rates below 2%. In some implementations that number is below 1%. A system generating thousands of alerts per day, almost all of which close as false positives, is not an AML control — it is noise that costs analysts time and desensitises them to genuine risk.
The Calibration Problem Nobody Tests
TMS calibration is the process of setting alert thresholds so the system generates meaningful alerts rather than volume. Too tight and you miss genuine suspicious activity. Too loose and your analysts spend their days closing false positives while real laundering flows through uninvestigated.
In UAT, most teams test whether the alert fires. They rarely test whether it fires at the right threshold, whether the threshold has been documented and justified, and whether the system produces evidence of calibration that a regulator could review. Those three gaps are exactly what RBI, FIU-IND, and FATF assessors look for during inspections.
The Three Gaps UAT Consistently Misses
1. Structuring detection — aggregate, not single transaction
Smurfing works precisely because each individual transaction is below the reporting threshold. A customer makes five cash deposits of ₹1.9 lakh each on the same day across different branches. Each is below the ₹10 lakh CTR threshold. Individually, no alert. Cumulatively, ₹9.5 lakh — structuring is a PMLA offence.
Your TMS must aggregate same-day transactions across branches and alert on the pattern. Most UAT plans test the single large cash deposit scenario. The aggregation logic — the harder and more important test — is absent.
Structuring detection — 5 same-day deposits aggregating above CTR threshold (PMLA smurfing). Large cash deposit ₹10 lakh single transaction — CTR mandatory filing with FIU-IND within 15 days.
2. Layering through multiple accounts — network analysis
Placement (cash in) is the easiest stage to detect. Layering is where most TMS implementations fail. Funds received in Account A, split immediately to Accounts B, C, D, then converged into Account F at another bank — a classic three-stage layering pattern. The alert requires network graph analysis, not just single-account rules. If your TMS cannot link accounts by common UBO, shared address, same IP address, or same mobile number, the layering pattern is invisible.
Layering through multiple accounts — TMS network analysis identifies funds split from Account A to B/C/D then converged to Account F. Linked account network analysis — common UBO, address, phone, IP flags all accounts simultaneously.
3. The tipping-off prohibition — what your system must not do
PMLA Section 13 prohibits any person from disclosing to the customer that a suspicious transaction report has been or may be filed. This is not a policy — it is a criminal provision. Your system must not send any automated notification to the customer when an alert is raised, when an account is flagged, or when an STR is filed.
UAT plans test alert generation and STR filing workflows. They almost never test the negative: that no communication is triggered to the customer at any point in the investigation workflow.
A system that sends an automated "your account is under review" notification when an STR is filed has violated PMLA S.13 (India) and equivalent provisions under FATF R.21 (global). This is a criminal offence for the responsible officer, not just a compliance gap.
Tipping-off prohibition — L2 analyst investigates alert, customer queries status, analyst cannot confirm or deny STR filing. System scripted response applied. PMLA S.13 compliance verified.
What Effective AML UAT Looks Like
Beyond alert generation, an effective AML UAT covers the full investigation lifecycle — L1 triage (24-hour SLA), L2 full account review (7-day), MLRO decision, STR/SAR filing workflow, FIU-IND portal submission, and record retention. Each step has specific compliance requirements that most test plans reduce to a single pass/fail check.
FATF evaluates AML effectiveness, not technical compliance. A bank that can demonstrate a 3% alert-to-SAR conversion rate, documented calibration rationale, and a functioning L1/L2/L3 investigation workflow is demonstrating effectiveness. A bank with 200 rules and no documentation is demonstrating activity.