A practitioner's guide to recognising the methods criminals use to move illicit funds — and how modern monitoring systems detect them before damage is done.
AML typologies are the documented methods and transaction patterns criminals use to launder illicit funds through the financial system. For regulated institutions — banks, fintechs, MTOs, and payment processors — understanding these typologies is foundational to building transaction monitoring systems that actually detect financial crime rather than generating noise.
In This Article
AML typologies are the methods, behaviors, and transaction patterns criminals use to launder illegally obtained funds. In plain operational terms, they answer a single question every compliance function must be able to address: how does money laundering actually happen in practice? Typologies translate that question into specific, observable signals — transaction flows, customer behaviors, account structures, and transfer patterns — that monitoring systems and investigators can act on.
They are developed through regulatory investigations, law enforcement intelligence, suspicious activity reporting data, and analysis of confirmed financial crime cases. Organizations including the Financial Action Task Force (FATF), the Financial Crimes Enforcement Network (FinCEN), the Asia/Pacific Group on Money Laundering, and AUSTRAC publish typology reports regularly, providing institutions with structured intelligence on how criminal methods are evolving.
Money laundering techniques evolve continuously. Criminal organizations adapt to new regulations, monitoring systems, sanctions controls, and payment technologies faster than many compliance programs can track. Without a clear understanding of current typologies, financial institutions risk missing suspicious activity, generating excessive false positives that overwhelm investigation teams, or failing regulatory expectations during audits and enforcement reviews.
Typology awareness directly improves the quality of AML transaction monitoring rules, customer risk scoring, sanctions screening, and Suspicious Activity Report (SAR) preparation. For MTOs and cross-border payment operators specifically, typology knowledge is non-negotiable — international transactions involve multiple jurisdictions, rapid fund movement, FX conversion, and velocity patterns that create elevated exposure across nearly every major financial crime category.
Figure 1: Scale indicators for global money laundering risk. Sources: UNODC, FATF mid-2025 review, blockchain analytics research.
Most laundering operations follow three broad stages. AML typologies typically target activity at one or more of these stages, and understanding where in the cycle a given pattern appears helps compliance teams calibrate monitoring rules and risk thresholds accordingly.
Figure 2: The three-stage money laundering cycle. Detection is most effective at the placement and layering stages before integration obscures the audit trail.
The following typologies appear consistently in regulatory intelligence reports and represent the patterns most frequently identified in SAR filings, enforcement actions, and financial crime investigations globally. Compliance teams should ensure monitoring rules address each of these as a baseline.
Structuring involves deliberately dividing large sums of illicit money into smaller transactions to avoid regulatory reporting thresholds. The technique is commonly called smurfing when it involves multiple individuals — or smurfs — making deposits on behalf of the criminal network across multiple accounts or locations. Rather than depositing a large sum in a single transaction, the operation distributes activity to stay beneath automatic reporting triggers.
Structuring remains one of the most common patterns across cash-intensive businesses, remittance channels, and retail banking. The red flags to watch include repeated deposits just below reporting thresholds, multiple small transactions within short time windows, and coordinated activity across accounts that appear superficially unrelated but share common beneficiaries, originating addresses, or phone numbers.
Shell companies are legal entities with little or no genuine operations that exist primarily to hold assets or move funds. Criminals layer shell structures across offshore jurisdictions, using nominee directors, bearer shares, and complex ownership chains to obscure who ultimately controls and benefits from the entity. Because the commercial activity looks plausible on paper, shell company transactions can pass basic automated checks without triggering alerts.
The AML red flags associated with shell structures include unclear or opaque ownership that resists beneficial ownership inquiries, no obvious commercial rationale for high transaction volumes, payments inconsistent with the company's stated business activity, and registered addresses shared across multiple high-risk or inactive entities. Beneficial ownership transparency has become one of the highest regulatory priorities globally, with FATF Recommendation 24 driving legislative reform across member jurisdictions.
Trade-based money laundering uses international trade transactions to move value across borders while disguising the true nature of the financial flows. Criminals manipulate invoices, shipment quantities, goods descriptions, or valuations to create financial movements that appear commercially legitimate. Common TBML techniques include over-invoicing (inflating the value of exported goods to justify large outflows), under-invoicing (understating import values to move value abroad), duplicate invoicing, and phantom shipments — payments for goods that were never shipped.
TBML is particularly difficult to detect because transactions may look entirely legitimate to individual institutions that lack visibility into the underlying trade relationship. Detection typically requires data sharing between financial institutions and customs authorities, or sophisticated pattern matching across trade documentation and payment flows. Compliance programs for MTOs operating in high-volume trade corridors should include TBML-specific monitoring scenarios.
Digital assets introduce layering mechanisms that operate outside traditional banking visibility. Criminals use mixers or tumblers to break the on-chain transaction trail, peer-to-peer exchanges that lack AML controls, privacy-focused tokens designed to obscure wallet activity, and layered wallet chains that simulate legitimate DeFi activity. The speed of cross-border crypto transfers and the pseudonymous nature of blockchain addresses make this category particularly challenging for conventional monitoring systems.
Key red flags include rapid wallet-to-wallet movement of funds within short timeframes, interaction with addresses flagged by blockchain analytics tools as associated with sanctions targets or high-risk exchanges, structuring activity across multiple blockchain wallets, and conversion between chains in ways consistent with obfuscation rather than legitimate investment activity. Global regulators including FATF have identified virtual asset service providers (VASPs) as a priority enforcement area throughout 2025 and 2026.
Offshore financial centers can offer financial secrecy, limited disclosure requirements, and reduced regulatory scrutiny that make them attractive to criminal networks seeking to layer illicit funds. While offshore accounts are not inherently unlawful, their use in combination with shell company structures, opaque ownership chains, and cross-border transfers to secrecy jurisdictions creates a risk pattern that warrants enhanced due diligence.
Compliance teams should apply additional scrutiny to transactions routed through jurisdictions on FATF's list of high-risk and monitored countries, or through financial centers known for low corporate transparency. Cross-border regulatory cooperation — including information exchange under tax treaties and AML mutual legal assistance frameworks — has increased significantly in recent years, improving the traceability of these structures when they come under investigation.
Businesses that legitimately handle large volumes of cash — restaurants, convenience stores, car washes, entertainment venues, and retail outlets — can be used to commingle illicit funds with legitimate revenue. The business declares inflated cash income, effectively laundering criminal proceeds as operating revenue. Because cash businesses naturally generate variable income, revenue anomalies can be difficult to identify without benchmarking against comparable businesses in the same sector and geography.
The monitoring red flags include reported revenues inconsistent with the apparent size or customer volume of the business, unusual frequency or regularity of large cash deposits, and cash-heavy transaction profiles with no evidence of corresponding operational expenditure such as payroll, supplier payments, or rent.
Real estate is a globally significant laundering channel because property transactions can absorb large sums, hold value over time, and generate legitimate-looking returns through rental income or resale. Criminals use shell company structures, nominee buyers, all-cash purchases, and complex financing arrangements to obscure the connection between property ownership and illicit wealth. Several jurisdictions — including the United Kingdom, United States, and European Union member states — now require enhanced due diligence and in some cases mandatory reporting for high-value real estate transactions.
Key red flags include high-value cash property purchases with no clear legitimate source of funds, rapid property resales at prices inconsistent with market conditions, ownership through opaque corporate structures with multiple intermediary layers, and transactions where the beneficial owner cannot be identified despite formal requests.
Round-tripping involves moving funds through multiple entities, accounts, or jurisdictions before returning them to the original owner disguised as foreign investment, commercial revenue, or loan repayments. The technique is used to clean illicit proceeds, manipulate financial reporting, and create the appearance of external capital flows that justify unexplained wealth. Round-tripping is particularly relevant in markets where foreign investment receives preferential regulatory or tax treatment, creating an incentive to disguise domestic funds as returning foreign capital.
Monitoring indicators include circular transaction flows where funds leave and return through different entity names but consistent routing patterns, repeated transfers between related entities without clear commercial purpose, and cross-border payments structured in ways that lack economic logic unless viewed as concealment.
The Black Market Peso Exchange is a historically significant laundering mechanism linked to narcotics trafficking, particularly in Latin American corridors. Illicit proceeds — often in US dollars — are exchanged through informal currency brokers, or peso brokers, who purchase the dollars using legitimate Colombian pesos and then sell them to importers who use them to buy US goods. The system moves value internationally entirely outside traditional banking infrastructure, making it extremely difficult to trace through conventional monitoring.
While the BMPE originated in specific trade corridors, variants of informal value transfer schemes appear globally. Compliance teams operating remittance or trade finance businesses in Latin American, South Asian, and Middle Eastern corridors should maintain awareness of informal transfer mechanisms and apply suspicious activity reporting protocols to transactions that display indicators of informal value exchange.
Prepaid cards and digital wallets allow rapid movement of funds across borders with limited identity verification requirements in some jurisdictions. Criminals may exploit anonymous funding mechanisms, create multiple wallet accounts to distribute funds, or use rapid peer-to-peer transfers to obscure transaction trails within digital payment ecosystems. As embedded finance has expanded, the range of platforms that can be misused for this purpose has grown significantly.
Monitoring red flags include frequent prepaid reloads to maximum thresholds, rapid withdrawals after funding, multiple linked wallet accounts funding a single destination, and transaction patterns that mirror structuring behavior within digital payment channels rather than traditional banking.
| Typology | Primary Stage | Key Red Flags | Detection Priority |
|---|---|---|---|
| Structuring / Smurfing | Placement | Repeated sub-threshold transactions across linked accounts | High |
| Shell Companies | Layering | Opaque ownership, no commercial rationale, high velocity | High |
| Trade-Based ML (TBML) | Layering | Invoice manipulation, phantom shipments, over/under-invoicing | High |
| Crypto / Digital Asset | Layering | Mixer usage, flagged wallet addresses, rapid chain hopping | High |
| Offshore / Tax Haven | Layering | Secrecy jurisdiction routing, unexplained outflows | Medium-High |
| Cash-Intensive Business | Placement / Integration | Revenue inconsistent with business size, excess cash deposits | Medium-High |
| Real Estate | Integration | All-cash purchases, rapid resale, opaque corporate buyer | Medium-High |
| Round-Tripping | Layering / Integration | Circular flows, no economic rationale, related entity transfers | Medium |
| BMPE / Informal Transfer | Placement / Layering | Informal broker activity, corridor-specific patterns | Medium |
| Prepaid / Digital Wallet | Placement | Max-load reloads, rapid outflows, multiple linked accounts | Monitored |
Figure 3: AML typologies by laundering stage, detection signals, and priority classification for compliance monitoring programs.
Financial crime is increasingly technology-driven. FATF's mid-2025 review singled out stablecoins and decentralized finance platforms as priority risk areas, reflecting the speed at which criminal methods migrate to newer financial infrastructure. Compliance teams cannot rely solely on typologies documented in older regulatory guidance — they must track emerging patterns through updated typology repositories and regulatory intelligence channels.
Figure 4: Emerging AML typologies requiring updated monitoring scenarios and compliance program review in 2026. Sources: FATF mid-2025 review, FATF Publications on Methods and Trends.
Modern AML programs depend on transaction monitoring systems that analyze customer activity continuously to identify anomalies, unusual patterns, sanctions exposure, and behaviors linked to known typologies. Without effective monitoring, typology knowledge is purely academic — it cannot prevent or detect financial crime without systems that translate patterns into actionable alerts. The quality of a monitoring program is directly correlated with the specificity and currency of its underlying typology library.
Advanced monitoring systems combine rule-based detection — threshold triggers, velocity checks, geographic restrictions — with machine learning models that identify behavioral anomalies and network-level patterns invisible to static rules. The goal is to detect suspicious activity with high enough precision to allow investigators to prioritize genuine risks, rather than spending the majority of their time clearing false positives generated by overly broad rules. Effective transaction monitoring for MTOs requires scenario libraries calibrated specifically to remittance and cross-border payment typologies, not generic banking alert sets.
Traditional rule-based AML systems were designed for a financial environment that no longer exists. Static thresholds, fixed geographic restrictions, and manual scenario design cannot keep pace with criminal methods that update faster than compliance programs can respond. AI-powered monitoring addresses this gap by learning from transaction history, adapting to new patterns, and identifying hidden behavioral signals that rule engines cannot capture.
Machine learning models identify customer behaviour anomalies that deviate from individually established baselines — not just static population thresholds. This makes structuring, smurfing, and round-tripping patterns detectable even when individual transaction amounts fall below conventional reporting triggers.
Financial crime rarely operates through a single account in isolation. Shell company schemes, smurfing operations, and BMPE structures rely on coordinated activity across related entities. Network analysis maps relationships between accounts, beneficiaries, devices, IP addresses, and transaction flows to surface criminal networks that individual account monitoring cannot detect.
As new typologies emerge — NFT laundering, synthetic identity fraud, DeFi layering — monitoring systems must update their detection logic without requiring months of manual rule engineering. AI systems that learn from confirmed SAR cases and regulatory intelligence can adapt detection models to emerging criminal methods significantly faster than static rule libraries.
Money Transfer Operators occupy an elevated risk position in the global AML landscape. Their core business model — processing high volumes of international transfers, often for unbanked or underbanked customer segments, across multiple jurisdictions — creates overlapping exposure to nearly every major typology category. Structuring and smurfing risk is elevated because of transaction velocity. Shell company risk appears in business customer segments. TBML risk emerges in trade-linked remittance corridors. Crypto layering risk grows as digital assets become more integrated with traditional payment flows.
Regulators including FATF, FinCEN, the FCA, AUSTRAC, and national financial intelligence units globally consistently identify money service businesses as a high-risk sector requiring demonstrably robust AML controls. For MTOs, the question is not whether to implement typology-driven monitoring — it is whether the monitoring program is genuinely calibrated to the specific corridors, customer segments, and transaction profiles the business serves. Generic banking monitoring rules applied to a remittance operation will generate excessive false positives on legitimate migrant worker transfer patterns while potentially missing the specific structuring behaviors relevant to the institution's actual risk exposure.
The practical implication is that FATF-aligned compliance programs for MTOs must include corridor-specific typology scenarios, customer segment risk profiling that reflects the demographics of actual sender and recipient populations, and transaction monitoring rules calibrated to the velocity, seasonality, and value patterns of legitimate cross-border remittance activity.
Compliance infrastructure for regulated remittance operations needs to be built specifically around the risk profile of cross-border payment businesses — not adapted from generic banking tools that were never designed to handle the transaction velocity, corridor diversity, or customer complexity that defines modern MTO operations. RemitSo's compliance engine was built from the ground up for this environment.
The platform covers 55+ AML indicator scenarios calibrated to remittance and cross-border payment typologies, real-time sanctions screening against 40,000+ records across eight global sanctions lists including OFAC, UN, EU, and HMT with fuzzy matching and alias detection, tiered KYC from standard verification through full Enhanced Due Diligence, business entity screening and beneficial ownership verification, AML case management with timestamped audit trails, and automated regulatory reporting workflows. For operators scaling across multiple corridors, RemitSo's AML consulting services support compliance program design and regulatory readiness alongside the technical platform. Compliance teams can explore the full RemitSo platform capabilities to understand how each component maps to specific typology detection requirements.
From typology-calibrated monitoring to real-time sanctions screening — RemitSo gives compliance teams the tools to detect financial crime without drowning in false positives.
AML typologies are the documented methods, behaviors, and transaction patterns that criminals use to launder illicit funds through financial systems. They describe the observable signals — account structures, transfer patterns, customer behaviors, and entity relationships — that indicate money laundering activity at the placement, layering, or integration stages. Typologies are developed by regulators, law enforcement, and financial intelligence units through investigation data, suspicious activity reports, and enforcement case analysis. They form the detection logic underlying transaction monitoring rules, risk scoring models, and SAR filing decisions.
AML typologies are important because they translate abstract regulatory requirements into specific, operational detection logic. Without typology intelligence, monitoring rules are generic and disconnected from the actual methods criminals use — generating excessive false positives on legitimate activity while missing the specific patterns that indicate genuine risk. Typology-driven programs improve the quality of SAR filings, help compliance teams prioritize high-risk cases, and demonstrate to regulators that the institution's monitoring approach is grounded in current financial crime intelligence rather than theoretical rule sets.
Structuring — also called smurfing — involves deliberately breaking large amounts of illicit money into smaller transactions to avoid regulatory reporting thresholds. Instead of making a single large deposit that would trigger an automatic report, criminals distribute the activity across multiple transactions, accounts, or individuals, each individually below the threshold. Structuring is a criminal offence in most jurisdictions even when the underlying funds are not themselves illicit — the deliberate intent to avoid reporting is sufficient for prosecution. Monitoring systems detect structuring through velocity analysis, transaction clustering, and behavioral baselines that flag patterns inconsistent with the customer's legitimate financial profile.
Trade-based money laundering uses international trade transactions — imports, exports, invoices, and shipping documentation — to move illicit value across borders while creating a veneer of commercial legitimacy. The most common TBML techniques include over-invoicing (inflating export values to justify large outflows), under-invoicing (understating import values to transfer value abroad), duplicate invoicing, and phantom shipments (payment for goods never actually shipped). TBML is particularly difficult to detect because transactions appear commercially plausible to individual institutions that lack visibility into the full trade relationship. Detection typically requires cross-referencing payment flows with trade documentation or using industry benchmarking data to identify valuations inconsistent with market norms.
Cryptocurrencies create AML risks primarily through the speed and pseudonymity of cross-border value transfer. Mixers and tumblers break the on-chain transaction trail, making fund origins untraceable. Peer-to-peer exchanges operating without AML controls allow value exchange outside regulated infrastructure. Privacy-focused tokens and cross-chain bridges obscure transaction trails across different blockchain ecosystems. DeFi protocols automate financial activity without custodial oversight, creating laundering pathways that bypass institutional controls entirely. FATF's mid-2025 review identified stablecoins and DeFi as priority enforcement areas, with only around 40 jurisdictions rated largely compliant with FATF's virtual asset AML standards — leaving significant geographic gaps that criminal networks actively exploit.
Round-tripping involves moving illicit funds through multiple entities, accounts, or jurisdictions before returning them to the original owner disguised as foreign investment, commercial income, or loan repayments. The technique is used to clean proceeds, manipulate financial reporting, and create the appearance of legitimate capital inflows in markets that offer preferential treatment for foreign investment. Monitoring indicators include circular transaction flows, transfers between related entities with no clear commercial purpose, and cross-border payment structures that lack economic logic unless viewed as a concealment mechanism. Round-tripping often involves offshore jurisdictions and shell company layers that make beneficial ownership tracing difficult.
Traditional rule-based AML monitoring applies fixed thresholds uniformly across all customers, generating high false positive rates — typically 90% to 98% of alerts — because legitimate customer behavior varies enormously. AI-driven monitoring establishes individual customer behavioural baselines, identifies anomalies relative to those baselines, and surfaces network-level patterns — coordinated structuring across multiple accounts, shell company chains, entity relationship graphs — that static rules cannot detect. Machine learning models trained on confirmed financial crime cases continuously improve their detection accuracy and can adapt to new typologies without requiring months of manual rule engineering. The practical result is lower false positive rates, faster investigation triage, and better detection of genuinely suspicious activity.
MTOs require AML infrastructure that is specifically calibrated to the risk profile of cross-border payment operations — not generic banking monitoring tools. The core components are: typology-specific transaction monitoring scenarios mapped to remittance and payment corridor risks; real-time sanctions screening against global lists with fuzzy matching capability; tiered KYC supporting standard verification through Enhanced Due Diligence; beneficial ownership verification for business customers; AML case management with timestamped audit trails that satisfy regulatory evidence requirements; and automated regulatory reporting workflows for suspicious activity submission. Infrastructure fragmentation — using disconnected point solutions for each compliance function — creates visibility gaps between systems that sophisticated laundering operations actively exploit. Integrated compliance platforms purpose-built for remittance operations reduce these gaps and improve end-to-end typology detection coverage.
