AML red flags: 10 patterns every compliance team should know

AFC Risk
|
July 10, 2026
|
Karthik Tadinada
Summary: This article walks through 10 AML patterns analysts come across regularly. For each one, it sets out the behaviour, why it may point to financial crime, the most common legitimate explanation, the data to pull and the questions worth asking. It follows how analysts actually work a case, so the thinking holds up case after case.

Red-flag guidance has a reproducibility problem. Most of it tells analysts what suspicious activity looks like. Very little of it explains what to do next: what data to pull, what questions to ask, what a legitimate explanation might be, and how the outcome of any investigation should feed back into controls.

The result is that analysts use red flags as a checklist rather than as the start of a reasoning process. They spot a pattern, log an alert, and close it without engaging with the underlying behaviour. That is not investigation; it is triage at best.

This reference is structured differently. Each of the 10 patterns below includes the observable behaviour, why it may indicate financial crime, the most common legitimate explanation (so analysts can distinguish genuine risk from noise), the data needed to assess it, and the investigation questions that should drive the case. At the end of each entry, there is a note on how outcomes should feed monitoring.

1. Structuring below reporting thresholds (smurfing)

The behaviour: Multiple cash deposits, often by different individuals, each below the local reporting threshold, with the aggregate exceeding what reporting would require.

Why it matters: Structuring is a deliberate attempt to avoid triggering transaction reporting obligations. It is one of the clearest indicators of intent in placement-stage laundering.

Legitimate explanation: Some retail businesses make frequent small deposits because of operational reasons — cash handling limits, safe capacity, or proximity to the branch. Volume alone does not confirm structuring.

Data to pull: Transaction history broken down by date, amount, location and depositor identity. Compare against the reporting threshold in the relevant jurisdiction. Look for patterns across multiple accounts held by connected individuals.

Investigation questions: Are deposits made by multiple people or consistently one person? Is the timing clustered around a single day? Is there a business reason for the frequency? Do account holders have known connections to each other?

Control feedback: If a pattern consistently resolves as legitimate (a restaurant owner making daily deposits below a fixed threshold), consider whether a business-level rule can reduce noise. If structuring is confirmed, the case should inform typology updates in monitoring scenarios.

2. Rapid layering through multiple accounts

The behaviour: Funds move quickly through a series of accounts — sometimes at multiple institutions — with little or no hold time at any stage. The chain may involve intermediary entities or individuals before funds reach an apparent destination.

Why it matters: Layering is designed to obscure the origin of funds. Speed reduces the window for detection. Complexity across multiple accounts makes tracing harder and suggests intent.

Legitimate explanation: Legitimate payment chains can be complex — multi-leg supplier payments, intragroup treasury flows, or payments routing through correspondent accounts can mimic this pattern. Context around the business model matters.

Data to pull: Full transaction history for all connected accounts. Correspondent account mapping where available. Timestamps for each leg. Beneficial ownership records for any entities in the chain.

Investigation questions: What is the stated purpose of each transfer? Do the amounts reconcile? Is there a commercial explanation for each leg? Are the intermediary entities known to the institution and subject to their own CDD?

Control feedback: Layering cases that close as legitimate may indicate overly sensitive velocity rules. Confirmed layering should prompt a review of whether the connected accounts were adequately profiled at onboarding.

3. Sudden transaction volume spike with no business explanation

The behaviour: An account that has been operating within a consistent volume range shows a sharp increase in transaction frequency, value, or both, without any change in the account holder's stated business activity or customer profile.

Why it matters: Sudden spikes can indicate that an account is being used by third parties, that the account holder's activity has materially changed without disclosure, or that the account has been compromised.

Legitimate explanation: Seasonal business cycles, a new contract, a one-off large payment, or a business restructuring can all drive legitimate volume spikes. These explanations are often available from the customer relationship record or through direct contact.

Data to pull: Historical transaction data showing baseline behaviour. Any recent CDD refresh or customer contact records. Industry benchmarks where available.

Investigation questions: Has the customer disclosed a change in business? Is the spike in one direction (credits or debits) or both? Do counterparties appear consistent with the stated business? Has KYC been refreshed recently?

Control feedback: If spikes are consistently explained by seasonal patterns, scenario calibration should reflect expected seasonality for that customer segment.

4. Third-party funding with no clear relationship to the account holder

The behaviour: Funds are received from or sent to individuals or entities with no apparent business or personal connection to the account holder.

Why it matters: Third-party funding is a common mechanism in fraud, money muling, and proceeds-of-crime placement. It is particularly significant when the third party is based in a high-risk jurisdiction or is themselves subject to adverse information.

Legitimate explanation: Gift payments, inter-family transfers, supplier payments and refunds from platforms can all originate from unexpected parties. The key question is whether the relationship can be documented.

Data to pull: Counterparty names, account details and jurisdictions. Any existing CDD on the counterparty if they are a customer. Adverse media and sanctions screening results. The account holder's stated source of funds.

Investigation questions: Can the account holder explain the relationship with the third party? Is there documentation? Is the third party themselves a known entity? Does the pattern repeat?

Control feedback: Third-party funding cases should inform whether the account holder's risk rating adequately reflects their actual network of counterparties.

5. Dormant account reactivation followed by high-value activity

The behaviour: An account that has had little or no activity for an extended period (typically 12 months or more) suddenly receives or sends high-value transactions.

Why it matters: Dormant accounts are attractive to fraudsters and money launderers because they may have passed initial CDD screening without recent review. Reactivation without a plausible trigger is inherently suspicious.

Legitimate explanation: Customers return from abroad, inherit funds, sell a property, or resume a business. These are genuine scenarios. The question is whether the volume and nature of activity is consistent with the explanation offered.

Data to pull: Account history including dormancy start date. Most recent CDD refresh. Counterparty details for the new activity. Source of funds documentation.

Investigation questions: Was a CDD review triggered at reactivation? Can the customer explain the activity? Do counterparties align with the stated explanation? Is the first post-reactivation transaction unusually large?

Control feedback: If dormant account reactivations are consistently not generating CDD reviews prior to the alert, that is a control gap to address at process level rather than through increased investigation resource.

6. Multiple accounts at the same institution with interconnected flows

The behaviour: A customer holds several accounts, or is connected to several account holders, and funds move between them in a way that appears to serve no operational purpose.

Why it matters: Internal flows between connected accounts can be used to obscure the true ownership or destination of funds. They may also indicate that accounts are being used collectively to break transaction limits or avoid monitoring thresholds.

Legitimate explanation: Legitimate intragroup cash pooling, payroll accounts, and household financial management can all generate regular flows between related accounts. The question is whether the structure has a commercial or personal rationale.

Data to pull: All accounts with shared ownership, address, phone, email, or beneficial owner attributes. Transaction flows between those accounts. Entity mapping or network visualisation where available.

Investigation questions: What is the stated purpose of each account? Are flows regular and proportionate? Does the end destination of funds make sense? Are there accounts in the network held at other institutions?

Control feedback: Network-based patterns are often invisible when accounts are investigated individually. If this pattern is detected post-hoc, it is worth reviewing whether network-level monitoring is in scope for the scenarios being run.

7. Geographic mismatch between customer profile and transaction destinations

The behaviour: Funds are sent to or received from jurisdictions that have no apparent connection to the customer's stated business, nationality, residence or known relationships.

Why it matters: Geographic mismatch is a strong contextual indicator when combined with other factors. Payments to high-risk jurisdictions, jurisdictions with weak AML frameworks, or jurisdictions subject to sanctions or targeted financial measures require particular scrutiny.

Legitimate explanation: International business, family remittances, supplier payments, and travel spending all generate geographic diversity that may not be reflected in the customer's profile. Context is everything.

Data to pull: Full list of transaction counterparty jurisdictions over the review period. Customer's stated business activity and nationality. Sanctions and high-risk jurisdiction screening results. Any existing explanation on file.

Investigation questions: Has the customer disclosed international business or family connections? Is the jurisdiction flagged under any regulatory guidance? Is the counterparty a known entity? Does the volume make sense in the context of the stated relationship?

Control feedback: If geographic mismatch alerts are consistently closing as legitimate for a particular customer segment (e.g., international traders), consider whether the customer risk profile adequately captures that activity, reducing unnecessary alert generation.

8. Frequent round-number transfers

The behaviour: The customer regularly sends or receives transfers in exact round amounts (£10,000, £50,000, £100,000) rather than the irregular figures that typically result from genuine commercial transactions.

Why it matters: Real-world payments — invoices, salaries, supplier settlements — rarely land in round numbers. Consistent round figures can indicate that amounts are being set deliberately, sometimes to test systems or to fit within notional thresholds.

Legitimate explanation: Loan repayments, subscription services, fixed fee arrangements, and some intercompany transfers are structured as round numbers by design. The explanation will usually be documented.

Data to pull: Transaction history with amount breakdowns. Counterparty details. Any contracts or invoices on file. Account type and stated purpose.

Investigation questions: Is there a commercial reason for the regularity of the amounts? Are invoices or contracts available? Do the round numbers align with any threshold the institution applies? Is this pattern isolated to certain counterparties?

Control feedback: Round-number alerts that consistently resolve as loan repayments or fixed fees should be excluded from the scenario via documented suppression logic rather than generating repeated alerts.

9. PEP or high-risk jurisdiction exposure without adequate CDD

The behaviour: A customer is identified as a politically exposed person, has close associates who are PEPs, or transacts regularly with high-risk jurisdictions, but their CDD is not commensurate with that risk — either missing, outdated, or lacking enhanced due diligence documentation.

Why it matters: PEP exposure does not make a customer suspicious. But it does require enhanced scrutiny. Absent that scrutiny, the institution is not managing the risk; it is ignoring it. Regulators look for this gap specifically.

Legitimate explanation: There is no legitimate explanation for inadequate CDD in a high-risk relationship. If the CDD is absent, the gap is the problem, irrespective of whether the underlying transactions are unusual.

Data to pull: CDD records and their dates. EDD documentation (source of wealth, source of funds, enhanced screening). Screening results. Any senior management approval records for onboarding or continuation.

Investigation questions: Was the PEP status identified at onboarding? Was EDD conducted and signed off? Is the CDD current? If a refresh was due, why was it not completed? Does the transaction activity align with what EDD documented?

Control feedback: Systemic EDD gaps for PEP or high-risk customers are a control failure, not an investigation problem. Cases should be escalated to the programme team to assess whether remediation is needed at portfolio level.

10. Use of cash-intensive business as cover for mixed funds

The behaviour: A customer operates in a sector with high legitimate cash turnover (retail, hospitality, car washes, nail bars) and declares a level of cash income that is difficult to verify independently, while also transacting in ways that do not match the stated business model.

Why it matters: Cash-intensive businesses are a well-documented vehicle for commingling illicit funds with legitimate revenue. The opacity of cash makes it hard to distinguish genuine from criminal proceeds, which is precisely why it is used.

Legitimate explanation: Many small businesses in these sectors are genuinely legitimate. The pattern does not indicate crime; it indicates that verification requires more care. The question is whether the volume, counterparties, and business profile are internally consistent.

Data to pull: Business registration and sector information. Declared turnover and source of funds documentation. Cash deposit history and any available sector benchmarking. Any HMRC or Companies House data where accessible.

Investigation questions: Does the volume of cash deposits match the declared revenue? Are there any non-cash revenues, and do they reconcile with expected business activity? Are there suppliers or creditors consistent with the stated business? Has the customer been subject to EDD, and does it include a site visit or independent verification?

Control feedback: Cash-intensive business customers that generate persistent alerts without escalation may be candidates for enhanced monitoring profiles or periodic EDD review, rather than repeated transaction-level investigation with no change in conclusion.

A note on how outcomes should feed controls

Investigations are not complete when the case is closed. If a pattern is consistently resolving as legitimate, that is information. It means the scenario is generating noise rather than signal, and the calibration needs review. If a pattern is confirming suspicion and generating SARs, that is also information: it should feed typology updates, risk rating reviews and, where warranted, a look at whether the wider customer population contains similar profiles.

The value of a red-flag framework is not in the list. It is in the feedback loop between individual case decisions and the monitoring programme that generates them. Without that loop, the same false positives recur, the same genuine risks are missed, and analysts spend their time closing alerts rather than assessing risk.

Post
Post
Share

Sign up for the latest news and insights from Fortify

Turn risk into ROI

The Fortify team can help

Find out how we can support your prevention strategy

Related articles

No items found.

Get in touch