Well, then it very much depends on how you measure. Their request seems pretty much ill-defined to me.
If referring to the HTML page itself, it is very unlikely that the (compressed) transferred data is ever larger than 40 kByte. In fact, I'd rather expect something around 10-20 kByte when using HTTP compression. However, it might not be trivial to actually measure this in your system! (If you look at the page in your web browser, you'll always see the size of the uncompressed data.)
If "transaction" refers to the HTML page including all graphics,
Javascript files, stylesheets, etc., then 40 kByte is a rather unreasonable limit. (Show me any realisitc web site that stays below these 40 kByte, including graphics - you'll have a hard time finding one.) However, the graphics and stylesheets are not downloaded each time the user requests a page; but usually only once per session. So should one refer to the "average" data transfer? (And how is this measured?)
Also, a transaction might well include the
download of a file (say PDF or so). Since I suppose that you have files larger than 40 kByte on your Moodle, one cannot impose a 40 kByte limit for such transactions. Again, this has nothing to do with Moodle.