Each surveillance domain carries a different data topology, latency envelope, regulator, and enforcement exposure — market-abuse detection is millisecond-sensitive on order-book events, AML monitoring is second-scale on settlement flow, and UEBA is minute-scale on access logs. The common mistake is shoehorning all three into a single "anomaly detection" product and silently under-serving the latency-sensitive domains. SEC FY2024 enforcement hit $8.2B and the $600M+ off-channel-comms wave specifically penalized firms whose surveillance never saw WhatsApp traffic at all — scope decisions made here become enforcement exposure downstream.

FINRA's 2024 report explicitly called out that AI models detecting order-withdrawal patterns <1ms after placement are now the surveillance standard for spoofing — and that inadequate surveillance technology is itself a Rule 3110 compliance violation, not just a detection failure. A detection latency that looks reasonable for AML (seconds) will miss 99% of spoofing because the manipulative orders have already been cancelled. Set per-domain SLAs explicitly or the slowest domain dictates the architecture for all of them.

Rule-based AML systems generate 90–95% false positives — meaning 95 of every 100 analyst-reviewed alerts are legitimate. NICE Actimize benchmarks show ML can cut that to 10–30% with 4× true-positive detection, but only if the alert budget is set deliberately. Without a capacity-bound alert budget, teams tune detection upward, bury analysts, and miss real cases that arrive mixed in with the noise. The right number is not the lowest false-positive rate — it is the highest true-positive rate that fits analyst capacity.

The tiering ladder is load-bearing in every FINRA 3110 examination: examiners ask who dispositioned the alert, who approved the escalation, and what authority they held. A program without documented tiers inevitably concentrates both investigation and filing authority in too few people, which becomes a person-dependency risk as well as a supervisory failure. Clear tiering also directly enables ML uplift — Nasdaq's GenAI surveillance POC showed a 33% reduction in investigation time, but only because tier-1 disposition was a defined workflow that could be accelerated.

The regulatory stack for surveillance expanded materially in 2023–2025: SEC Item 1.05 of Form 8-K requires cyber incident disclosure within four business days of materiality determination (effective Dec 18 2023), EU DORA became enforceable January 17 2025 with prescriptive ICT incident-reporting windows, and the EU AI Act classifies most surveillance systems as high-risk with transparency and human-oversight obligations. MiFID II penalties rose 143% year-over-year in 2024 to EUR 44.5M on surveillance and reporting failures alone. Treating this as a single checkbox is how firms become the enforcement headline.