Transaction Monitoring Policy
Last updated: March 30, 2026
1. Framework Overview
Glide's transaction monitoring program is built on a 63-rule automated engine that covers nine distinct categories of financial activity. The engine runs continuously and evaluates every transaction, login event, and behavioral pattern in real time to detect activity that may indicate money laundering, terrorist financing, sanctions evasion, fraud, or other financial crime.
The nine monitoring categories are: deposits (A), withdrawals (B), international transfers (C), domestic transfers (D), card transactions (E), cryptocurrency activity (F), sanctions screening (G), login and access patterns (H), and behavioral analysis (I). Each category contains multiple rules with specific thresholds calibrated to the risk characteristics of the transaction type.
Rules are deployed across three priority tiers based on implementation urgency and risk impact. Tier 1 rules are active at launch and cover the highest-risk scenarios. Tier 2 rules are deployed within 90 days of launch. Tier 3 rules are deployed within 180 days and address more nuanced behavioral patterns.
Each rule generates alerts at one of four severity levels: critical, high, medium, or low. Severity determines the investigation SLA and the escalation path. The monitoring framework is reviewed quarterly and updated as new risks emerge or regulatory guidance changes.
2. Tier 1 Rules (Pre-Launch) — 25 Rules
These 25 rules are active from day one and cover the most critical risk scenarios. They are designed to catch the most common money laundering typologies, sanctions violations, and fraud patterns associated with deposit, withdrawal, and cryptocurrency activity.
Deposits (A1–A5)
| Rule | Description | Threshold |
|---|---|---|
| A1 | Single large deposit | ≥$10,000 |
| A2 | Aggregate deposits in 24h (structuring detection) | ≥$9,000 |
| A3 | Rapid successive deposits within 1 hour | ≥3 deposits |
| A4 | Deposit from new/unlinked funding source | Any amount |
| A5 | Deposit volume exceeds 3x historical average | 3x 30-day avg |
Withdrawals (B1–B5)
| Rule | Description | Threshold |
|---|---|---|
| B1 | Single large withdrawal | ≥$10,000 |
| B2 | Near-total balance withdrawal within 24h of deposit | ≥90% balance |
| B3 | Withdrawal to previously unseen bank account | Any amount |
| B4 | Aggregate withdrawals in 24h (structuring detection) | ≥$9,000 |
| B5 | Withdrawal volume exceeds 3x historical average | 3x 30-day avg |
International (C1–C3)
| Rule | Description | Threshold |
|---|---|---|
| C1 | Transfer to/from high-risk jurisdiction | Any amount |
| C2 | SWIFT transfer exceeding threshold | ≥$25,000 |
| C3 | Multiple international transfers within 7 days | ≥3 transfers |
Cryptocurrency (F1–F6)
| Rule | Description | Threshold |
|---|---|---|
| F1 | Deposit from sanctioned or flagged address | Any amount |
| F2 | Withdrawal to sanctioned or flagged address | Any amount |
| F3 | Large crypto deposit | ≥$10,000 |
| F4 | Rapid crypto-to-fiat conversion and withdrawal | <1h between deposit and withdrawal |
| F5 | Deposits from multiple distinct wallet addresses in 24h | ≥5 addresses |
| F6 | Crypto deposit from mixer/tumbler/privacy protocol | Any amount |
Sanctions (G1–G2)
| Rule | Description | Threshold |
|---|---|---|
| G1 | OFAC/SDN name match on customer or counterparty | Any match |
| G2 | Chainalysis sanctions hit on crypto address | Any match |
Login & Access (H1–H3)
| Rule | Description | Threshold |
|---|---|---|
| H1 | Login from new device/location followed by large transaction | ≥$5,000 |
| H2 | Multiple failed login attempts | ≥5 in 15 min |
| H3 | Simultaneous sessions from different geographies | Any occurrence |
3. Tier 2 Rules (Within 90 Days)
Tier 2 rules are deployed within 90 days of launch and expand coverage to domestic transfer patterns, card transaction anomalies, and additional cryptocurrency monitoring scenarios. These rules require baseline behavioral data that is accumulated during the initial operating period.
Domestic (D1–D5)
| Rule | Description | Threshold |
|---|---|---|
| D1 | Round-dollar domestic transfers (structuring indicator) | ≥3 in 7 days |
| D2 | Transfers to multiple unrelated beneficiaries in 24h | ≥5 beneficiaries |
| D3 | Funds pass-through (deposit + near-equal withdrawal within 48h) | ≥80% match |
| D4 | Aggregate domestic outflows in 30 days | ≥$50,000 |
| D5 | Transfer to known mule account pattern (shared beneficiary across multiple accounts) | ≥2 accounts |
Card (E1–E5)
| Rule | Description | Threshold |
|---|---|---|
| E1 | Card spend exceeds daily limit attempt | ≥$5,000/day |
| E2 | Rapid successive card transactions at same merchant | ≥5 in 1h |
| E3 | Card use in high-risk merchant category (gambling, crypto ATM) | Any amount |
| E4 | Card transaction in country different from login location | Any amount |
| E5 | Card spend exceeds 3x historical monthly average | 3x 30-day avg |
Cryptocurrency Extended (F7–F9)
| Rule | Description | Threshold |
|---|---|---|
| F7 | Crypto withdrawal to high-risk exchange jurisdiction | Any amount |
| F8 | Circular crypto flow (deposit → withdraw → re-deposit within 7 days) | ≥2 cycles |
| F9 | Aggregate crypto volume exceeds EDD threshold | ≥$50,000/month |
4. Tier 3 Rules (Within 180 Days)
Tier 3 rules focus on behavioral analysis patterns that require a longer observation period to establish meaningful baselines. These rules detect anomalies that may not be apparent from individual transactions but become visible when analyzing patterns over time.
Behavioral (I1–I5)
| Rule | Description | Threshold |
|---|---|---|
| I1 | Dormant account reactivation with large transaction | ≥60 days dormant + ≥$5,000 |
| I2 | Sudden change in transaction frequency (velocity shift) | ≥5x baseline frequency |
| I3 | Account used exclusively for pass-through (no card spend, no balance retention) | 90-day pattern |
| I4 | Geographic pattern mismatch (KYC address vs. login/transaction geography) | ≥80% mismatch |
| I5 | Peer group outlier (transaction profile deviates significantly from similar accounts) | ≥3 std dev |
5. Alert Investigation Procedures
When a monitoring rule is triggered, the system generates an alert that enters a structured investigation workflow. Every alert follows the same lifecycle: Open, Investigating, and Closed. The Closed status includes a disposition reason (e.g., false positive, SAR filed, account action taken, or no suspicious activity found).
Alerts are automatically assigned to a member of the compliance team based on the alert category and current workload distribution. The assigned analyst is responsible for reviewing the alert, gathering relevant transaction data and customer context, and documenting their findings.
Investigation SLAs are determined by alert severity:
| Severity | Response SLA | Examples |
|---|---|---|
| Critical | 4 hours | Sanctions match (G1, G2), flagged crypto address (F1, F2) |
| High | 24 hours | Large transaction alerts, rapid conversion (F4), structuring patterns (A2, B4) |
| Medium | 72 hours | Volume anomalies, new destination alerts, geographic patterns |
| Low | 5 business days | Minor velocity changes, informational triggers |
All investigation activity, findings, and disposition decisions are documented in the alert case file and retained for a minimum of five years.
6. SAR Decision Framework
When an alert investigation reveals activity that meets Suspicious Activity Report (SAR) filing criteria, the case is escalated through the SAR decision framework. A SAR is filed when the investigation determines that a transaction or pattern of transactions involves or aggregates funds of $5,000 or more and the activity is known or suspected to involve money laundering, BSA violations, terrorist financing, or other criminal activity.
The following scenarios constitute automatic SAR filing triggers: confirmed structuring activity designed to evade CTR thresholds; positive OFAC/SDN sanctions match that cannot be resolved as a false positive; suspicious patterns consistent with money laundering typologies (e.g., layering, rapid fund movement, funnel accounts); and large unexplained transactions inconsistent with the customer's profile and stated source of funds.
The SAR filing clock starts at 30 calendar days from the date of initial detection. If additional time is needed to identify a suspect, the deadline extends to 60 days, but the 30-day clock cannot be extended for any other reason. The BSA Compliance Officer is responsible for ensuring all SARs are filed within the required timeframe.
SAR narratives are drafted with AI assistance to ensure completeness and consistency, but every narrative is reviewed, edited, and approved by a qualified human compliance officer prior to filing. Under no circumstances is a SAR filed without human review and approval.
7. CTR Automation
Currency Transaction Reports (CTRs) are required for cash-equivalent transactions that exceed $10,000 in a single business day. Our automated system monitors all transactions in real time and automatically detects CTR-eligible events, including single transactions exceeding $10,000 and aggregated transactions by the same customer that total $10,000 or more within a business day.
When a CTR-eligible transaction is detected, the system automatically collects the required data fields and prepares a draft CTR report. The draft includes all required FinCEN Form 104 fields: transaction details, customer identification information, and financial institution data.
Prepared CTR reports are routed to a compliance administrator for review before filing. The administrator verifies the accuracy of the data, confirms the transaction meets the filing threshold, and approves the report for submission. CTRs are filed through Column N.A.'s regulatory filing infrastructure.
The system also monitors for potential structuring activity — transactions that appear designed to avoid the $10,000 CTR threshold. Structuring patterns detected by rules A2 and B4 are escalated for SAR review regardless of whether the $10,000 threshold was actually reached.
8. Chainalysis Integration
Glide integrates with the Chainalysis free sanctions API to screen all cryptocurrency addresses involved in stablecoin deposits and withdrawals. Every Solana wallet address that sends USDC or USDT to the user's Privy-provisioned wallet, and every external address to which the user requests a withdrawal, is screened before the transaction is processed.
The Chainalysis sanctions API checks each address against OFAC's Specially Designated Nationals (SDN) list and other sanctioned entities. If a positive match is returned, the transaction is automatically blocked, a critical alert (G2) is generated, and the compliance team is notified immediately for investigation.
In Phase 2 of our compliance infrastructure roadmap, we plan to upgrade to Chainalysis Know Your Transaction (KYT) for full transaction risk scoring. KYT provides deeper analytics including exposure analysis (how many hops from a known illicit source), counterparty risk ratings, and real-time risk scores for each transaction. This upgrade is targeted for deployment within 180 days of launch.
All Chainalysis screening results — both clear results and flagged matches — are logged and retained for a minimum of five years in accordance with our record-keeping obligations.
9. Rule Tuning & False Positive Management
Maintaining an effective monitoring program requires ongoing calibration of rule thresholds to balance detection sensitivity against false positive rates. Rules that generate excessive false positives consume compliance resources without proportionate risk mitigation value, while rules that are set too loosely may fail to detect genuine suspicious activity.
The compliance team conducts a monthly review of all monitoring rules, analyzing false positive rates, alert volumes, and investigation outcomes by category. The target false positive rate for the overall monitoring program is below 50%. Individual rules that consistently exceed a 70% false positive rate are flagged for threshold adjustment.
All threshold adjustments are documented in a formal change log that records the original threshold, the new threshold, the rationale for the change, the date of implementation, and the approving officer. This audit trail is essential for demonstrating to regulators that rule changes are risk-based and not designed to suppress legitimate alerts.
Quarterly rule effectiveness reports are prepared for the BSA Compliance Officer and senior management, summarizing alert volumes, disposition rates, SAR conversion rates, and recommendations for rule additions or modifications.
10. Escalation Procedures
The escalation chain ensures that complex, high-risk, or time-sensitive alerts receive appropriate attention from increasingly senior compliance personnel. Escalation is both severity-based (automatic based on alert type) and judgment-based (analyst discretion when an investigation reveals unexpected risk factors).
The escalation chain proceeds through four levels:
- Analyst— Conducts initial alert review, gathers transaction data and customer context, and makes an initial risk assessment. The analyst resolves low and medium alerts that have clear dispositions.
- Senior Analyst — Reviews escalated alerts from analysts, handles complex investigations involving multiple rules or customers, and makes SAR filing recommendations. The senior analyst has authority to recommend account suspension.
- BSA Compliance Officer — Makes final decisions on SAR filings, account terminations, and law enforcement referrals. Reviews all critical alerts and all SAR narratives before filing. Communicates significant findings to senior management and the board.
- Board / Legal — Consulted on matters involving potential regulatory action, law enforcement subpoenas, significant reputational risk, or systemic compliance concerns. The board receives quarterly compliance reports and is briefed immediately on any critical escalation.
All escalation actions, decisions, and rationale are documented in the alert case file. Time-sensitive escalations (sanctions matches, law enforcement requests) bypass intermediate levels and go directly to the BSA Compliance Officer.
11. Regulatory Exam Readiness
Glide maintains continuous readiness for regulatory examinations by federal and state authorities. The compliance program is designed to produce documentation and evidence that demonstrates the effectiveness of our BSA/AML controls at any point in time, without requiring ad hoc preparation.
Key exam readiness practices include: maintaining up-to-date written policies and procedures that are readily accessible; ensuring all alert investigations are fully documented with clear disposition rationale; retaining all BSA records (transactions, SARs, CTRs, KYC documentation, alert case files, and Chainalysis screening logs) for a minimum of five years; and producing regular management reports that demonstrate program oversight.
An independent testing of the AML program is conducted annually by a qualified third party, as required by BSA regulations. The independent tester evaluates all components of the program, including CIP/CDD procedures, transaction monitoring effectiveness, SAR/CTR filing timeliness, OFAC screening accuracy, training program adequacy, and record-keeping completeness.
Findings from independent testing are documented, remediation plans are developed with specific timelines, and progress is tracked to completion. All testing reports, remediation plans, and completion evidence are retained as part of the exam readiness documentation package.