Continuous behavioural monitoring is the
future of AML

AML is a moving target.

Rigorous financial monitoring, sanctions, and PEP screening do a great job at barring the doors. Which means criminals are now forced to get creative.

They’re finding ways around the existing defenses, often using legitimate entry points.

This includes:

• The use of synthetic and stolen identities at onboarding
• Buying aged accounts off of legitimate users (typically sourced from individuals motivated by short-term financial gain or economically challenging circumstances)
• Account takeover
• Collusion across accounts

Silo’d fraud tools often fail to flag these nuanced attacks. And even if they do catch a whiff of money laundering behaviour, the signals are too weak.

Nick Imperillo, Senior Fraud and Risk expert at GeoComply, points out the challenges: “Businesses need explainable, substantiated decisions. Regulators expect evidence that demonstrates why an account was trusted, when risk emerged, and what action was taken. Point-in-time checks fail to deliver on all fronts.”

Key takeaways you’re about to discover:

• Traditional AML controls focus on identity at onboarding, but modern financial crime often occurs after accounts are established.
• Behavioural AML monitoring uses location, device, and transaction patterns to establish a framework of “normal” over time, and detect emerging risk if behaviour becomes inconsistent later on in the journey.
• Continuous, event-based verification provides stronger audit trails and supports sanctions and PEP compliance.
• Risk-based escalation ensures legitimate users experience minimal friction while suspicious activity receives appropriate scrutiny.

Liveness checks aren’t a comprehensive defense

Today’s approach: “Throw some friction in there!”

Historically, AML programs assumed that risk could be addressed primarily at onboarding and through periodic review. This only addresses the first half of the question—“who are you?”.

And the answer costs a lot of friction.

“Liveness checks alone are flawed. They’re expensive. They’re annoying for legitimate users. And they’re easily bypassed by sophisticated criminals,” Nick says.

This single, point-in-time method of verification:

• Doesn’t provide ongoing monitoring
  • Could be a legitimate person who later sells their account to a mule
  • Could be someone who starts off in a permitted region and later moves to a sanctioned area
• Can’t detect ATO
  • Could be someone whose credentials were hacked or stolen long after account creation
• Doesn’t show where the account creator is actually located
  • Could be using VPN to hide true location in a sanctioned country
  • Could seem legitimate but is actually in a PEP high-risk hotspot, such as an embassy
• Can’t pick up on suspicious devices or manipulation
  • Could be running fraud tools in the background, such as emulators, bots, or RDPs
• Is vulnerable to AI-generated imagery, deepfakes, and synthetic IDs

Looking for risk after the fact can be like searching for a needle in a haystack. To keep up with today’s criminals, organizations must build upon one-time checks towards behavioural AML monitoring that taps into continuous, human-centered evidence.

Behavioural changes are a key AML signal

The question isn’t just “can you be trusted?” but “can you still be trusted?”

Behavioural signals offer something static checks cannot: repeatable, time-stamped evidence.

Changes in location, device usage, transaction patterns, and account behaviour create objective indicators that can be tracked, reviewed, and tied directly to AML compliance frameworks, to support decisions and outcomes.

As Nick points out, “this transforms AML monitoring from reactive investigation into ongoing, evidence-based risk assessment.”

GeoComply’s approach: Continuous context

Start with “normal” to see “suspicious”

We start by establishing a baseline for trust—building up a Trusted Profile based on what “normal” looks like for each unique user across their typical locations, devices, and actions.

Nick connects this back to user signals: “the red flags for money laundering are rooted in behavioural changes—an unusual deposit, activity from a high-risk location, an unexpected account change.”

When something changes within a user’s typical pattern—account access at a new location, a login from a new device, or unusual account behaviour—organizations can trigger step-up verification or deeper investigation.

This provides real-time, behavioural AML monitoring based on signals that repeatedly confirm who someone is—or isn’t.

What is a Trusted Profile?

A Trusted Profile is unique for each user.

Put simply, “it represents what their “normal” behaviour looks like, based on established location, device, and activity patterns,” Nick explains.

It is continuously evaluated and can be escalated or re-established as risk indicators emerge.

How does GeoComply’s Trusted Profile work?

Set the baseline, monitor for anomalies

Step 1: Robust KYC foundation

Identity is established at account creation through:

• ID validation with liveness detection
• Cross-reference against data sources
• Address verification
• Affordability checks/demographic validation
• Geolocation and device checks

This provides an immediate picture of trust. Any flags, such as high-risk location or a device that might have been tampered with, will trigger further step-up verification or investigation.

This helps to prevent things like:

• Underage account creation
• Access from sanctioned region or high-risk location
• Identity fraud

Step 2: Continuous, frictionless authentication

We trigger event-based monitoring during high-value events, such as account funding, transfer, and withdrawal, building patterns over time. This includes:

• Seamless geolocation verification: Consistent activity at the same places (home, work, commute, travel patterns unique to the individual)
• Seamless trusted device verification: Consistently active on the same devices, with no indicators of attempted device manipulation
• Account activity patterns: Consistent transactional behaviour and timing
• Transaction patterns: Funding and payout events follow the same rhythms
• Verified network integrity: Not active on VPN or proxy, or attempting to spoof location
• Account stability: No unexpected changes to contact info, banking details, or security settings

Step 3: User receives “Trusted Profile” status

After establishing strong behavioural patterns across location, device, and activity, users establish Trusted Profiles.

This is a threshold that organizations can set, based on their risk tolerance.

If something happens that’s inconsistent with the user’s established behaviour, such as activity at a new location or a login from a jailbroken device, you can take proportional, risk-appropriate action:

• Block high-risk transactions
• Trigger enhanced KYC
• Conduct a manual review or risk assessment

Trusted Profile status also allows you to improve upon traditional MFA methods.

“One-time passwords or SMS codes create friction and are increasingly vulnerable to social engineering, SIM-swap attacks, and credential compromise,” Nick points out.

Instead, you can use behavioural and location-based verification, passively and persistently, to confirm a user is active within their trusted parameters. If not, trigger the step-up.

This behavioural-based monitoring helps to prevent:

• ATO
• PEP-related risk exposure
• Identity theft

Spotting AML through behavioural monitoring

When “Trusted” becomes “suspicious”

Users who maintain a Trusted Profile enjoy a frictionless experience. In the meantime, we monitor for behavioural changes that might be indicative of money laundering.

Common behavioural AML indicators include:

• Activity in sanctioned jurisdictions or high-risk areas (in accordance with FATF recommendations): We go beyond name-based screening to confirm a user is not operating from a restricted or high-risk area.
• Location-based PEP risk assessment: We monitor for high-risk locations that may indicate PEP activity, such as government buildings, embassies, diplomatic quarters, official travel corridors, and movement that’s consistent with political travel.
• Impossible travel: We flag account access patterns that are geographically impossible, such as a 2pm deposit in Madrid followed by a 2:15pm withdrawal from Dubai.
• Inconsistent location activity: We flag when a user is active at a location that differs from their established patterns, or if they show evidence of using a VPN/proxy or location spoofing attempt.
• Inconsistent device activity: We flag when a user is active on a new device or a device that shows evidence of containing fraudulent tools (such as emulators, RDPs, and RTAs).
• Inconsistent behaviour: Flag failed login attempts, rapid deposits and withdrawals, or when a wager, deposit, or withdrawal falls outside of established account activity.
• Unexpected account changes: Look closer at sudden changes to banking details, login credentials, address, or security settings.

Risk thresholds, restricted jurisdictions, and escalation rules are configurable by the organization and can be aligned with regulatory expectations. GeoComply provides intelligence signals and enforcement capabilities for continuous AML monitoring, while organizations retain control over how risk policies are defined and applied.

Case studies: Fighting AML with behavioural signals

A risk-based AML approach, in action

Detecting account resale or trafficking

A user in Madrid passed KYC without issue and has been active on their account for months. They have made a series of deposits and transactions at their home address and a local office in their community. They establish a Trusted Profile on their clean Android device.

Suddenly, their account is accessed from an iOS device at a house in Barcelona, where a large deposit is made. This same iOS device is linked to other accounts, operating out of the same house.

These flags are delivered to the organization in real-time, allowing them to take decisive action. They suspect that the once Trusted Profile has been sold to a fraud ring. They decide to monitor the transactions and investigate further.

Their investigation reveals that the “users” at this Barcelona location are engaging in similar patterns, placing coordinated transactions that point to collusion. Armed with this confidence, the organization blocks the fraudulent device, suspends the accounts, and sets up a location-based rule to monitor for future activity.

Pinpointing potential PEP-related risk for enhanced due diligence

A new account is created at a residential address in Rome. It passes KYC with no issue. Over the course of a few months, a few transactions are placed but there is not enough activity to establish a Trusted Profile.

Suddenly, this account is active at the Russian Consulate in Genoa. Though the KYC data does not match any names on the PEP or sanctions list, this high-risk location is flagged to the organization in real-time.

The organization decides to trigger step-up verification before allowing the transaction to proceed. The user abandons the transaction, pointing to suspected proxy activity indicative of potential attempted money laundering.

Combining signals for continuous proof of existence

The what, where, and how helps validate the “who?”

Nick puts it frankly—the current tools aren’t pulling their full weight: “When we rely solely on liveness checks to prove identity, we’re asking users to: ‘go find your ID, turn on your camera, hold up your ID, get your face in the frame, wait for us to decide if it’s a match.’ But the only real truth we get is: this person held up this ID on this date.”

With GeoComply, we’re asking users to simply tap “enable location”.

The truth you get: this verified person has maintained secure control of this account through continuous behavioral validation, their geographic patterns remain consistent with their KYC profile and occur exclusively in permitted jurisdictions with no sanctioned country access, every financial transaction has been verified for device integrity and location legitimacy, and the system actively monitors for PEP risk indicators including embassy proximity and diplomatic travel patterns.

All without requiring user action or creating friction.