How to Detect Money Laundering: Red Flags, Indicators, and AML Tools

Detection is where anti money laundering (AML) programs either do their job well or fail without anyone knowing.

It's easy to make policies. Training decks are simple. In the big picture, it's not hard to write a risk assessment that meets all the rules. The hard part is detection. That's when the program has to work in real time, on real customers, with incomplete information and a team that is already stretched thin. Knowing what to look for is the most important part of detection, the thing that everything else is built on.

Things to watch out for. Signs. The signs that something is wrong, even before you can prove it.

This guide covers the key red flags compliance teams need to recognize, the tools built to surface them, and what to do when something doesn't look right.

Before we get into the categories, it's important to explain how red flags really work, since a lot of people don't understand this.

A red flag does not mean that money laundering is going on. It's not even close to being proof. It's a sign that something needs more attention. If you look into most red flags, you'll find that they have a good reason for being there. The customer was nervous because they are always nervous. The transaction with the round number was an invoice from a vendor. The cross border transfer went to a place with a lot of crime because that's where the customer's family lives. That's okay. That makes sense. The red flag did its job by getting the review started. The review didn't find anything. The case is closed.

The problem is that red flags are either ignored because the team is too busy or the system isn't set up to show them, or they're seen as automatic guilt. Neither method works. Red flags are things that go into a judgment process, not things that come out of it.

FinCEN has always been clear about this in its advice over the years. The idea of suspicion, not certainty, is what the suspicious activity reporting framework is based on. Institutions are not required to conduct criminal investigations. They should find and report any suspicious activity, and then let the right people handle it. The red flag is just the beginning, not the end.

That said, here's what you should look for.

Some of the most important signs that money laundering is happening don't have anything to do with transactions. They come from the customers themselves: How they act during onboarding, what their paperwork looks like, and what their background checks show when they are done right.

Not wanting to give information is one of the oldest warning signs, and it still applies today. If a customer is unusually reluctant to provide standard KYC documents, only gives information in bits and pieces, or can't explain where their money comes from in a clear way, that's a sign that they need to be looked into. Most legitimate customers know why they're being asked for paperwork. They might not like the process, but they don't see routine requests for information as a threat.

Another issue is inconsistent documentation. Documents that don't match up with each other, like an address on one form that doesn't match another, a business registration that doesn't match what the customer says they do, or financial statements that don't show the business activity being described, could be mistakes made by the office, or they could be something more intentional. The point is to see them and not let them go.

Ownership structures that are complicated and don't seem to serve a business purpose should be looked into. Sometimes, real businesses have complicated corporate structures for real operational or tax reasons. A network of holding companies, nominee directors, and layered entities that makes it hard to figure out who really owns and controls the account is a big red flag, especially if the customer doesn't want to explain the structure or can't clearly name the beneficial owner.

Politically exposed persons (PEP) status is a risk by definition. PEPs work in jobs that may give them access to public money or the power to decide how public money is spent. This makes them more likely to be involved in corruption, which is directly linked to money laundering. Being a PEP is not a crime, and most PEPs are not doing anything wrong. But the risk profile is different, so more research is needed.

Links to people or groups that have been sanctioned are some of the most serious risks at the customer level. A customer who has direct or indirect ties to a designated person or entity, such as through ownership, business ties, family ties, or shared addresses, needs to be dealt with right away. This is exactly the kind of risk that sanctions screening is meant to find.

Adverse media ties it all together. A customer who shows up in credible reports about financial crime, corruption, fraud, or criminal networks is a risk that a standard review of documents won't find. Adverse media screening adds that extra level of knowledge to the picture of customer risk.

Customer red flags are about who a person is, while transaction red flags are about what they are doing. This is where transaction monitoring systems fit into the control environment.

Structuring below reporting thresholds is one of the most well known ways to launder money, and compliance systems are made to catch it. In the U.S., if you recieve more than $10,000 in cash, you have to fill out a Currency Transaction Report. It is against the law to break up transactions on purpose to stay below that limit, like putting $9,500 in one day and $9,800 in two days later. This is true no matter what other crime may be involved. The pattern doesn't have to be obvious to be suspicious. Regular deposits that are just below important thresholds, spread out over several branches or long periods of time, should be looked at closely.

Another classic sign is the quick movement of money, which is sometimes called "round tripping" or layering. Money that moves quickly between different accounts or entities, with no clear economic reason for each move, is a sign that someone is trying to hide where it came from. The word "apparent" is important. The institution's job is to figure out if the move makes sense for business based on what they know about the customer. That's a problem when it doesn't.

Transactions that are round numbers are a less obvious but still real sign. Real business activity usually leads to strange amounts, like bills for $7,342 and payments for $15,875. When a customer regularly makes round number transactions like $10,000, $50,000, or $100,000, especially in cash, it could mean that money is being moved in pre-counted blocks instead of as a result of real business activity.

Transactions that don't match a customer's profile may be the most common sign of a bad transaction. Based on what they do, where they do it, who their counterparties are, and what volumes make sense for their business, every customer has a profile of expected activity. When activity changes a lot from that profile, like suddenly having more transactions, a new type of counterparty, activity in a different part of the world, or transaction types that the customer hasn't used before, that change is a sign that something is wrong.

When you send money across borders to high risk areas, you are taking on both transaction level and geographic risk. Just because a transfer goes to another country doesn't mean it's suspicious. But moving money to a place with weak AML laws, active Financial Action Task Force (FATF) monitoring, or a history of being used to move illegal money makes any transaction that might already be raising other red flags even riskier.

Behavior is what gets in the way of the customer and the transaction. It's about how a customer acts when they interact with the institution. This is the category that relies the most on frontline staff being trained to notice what they see.

A sudden change in how transactions are done is a key behavioral signal. A customer whose behavior has been steady for years and then suddenly changes—like the amount of business they do, the types of transactions they make, the areas they do business in, or the types of people they do business with—without a change in their business circumstances should be looked into. There could be good reasons for change. But we should ask and answer the question of why something changed without explanation.

It's easy to miss when people don't want to answer questions about transactions in a busy branch or call center, but it's important to notice. If a customer becomes evasive, defensive, or unexpectedly angry when asked simple questions about the purpose of a transaction, the identity of a counterparty, or the source of funds, they may not be ready to answer honestly. That response is information.

If someone uses multiple accounts for no clear reason, it could mean that they are trying to spread activity across accounts to stay below detection thresholds or to make it harder to see the full picture of a customer's activity. Sometimes, real customers have more than one account for real business reasons. But using multiple accounts in ways that seem to split up activity, especially when combined with other signs, is a pattern that should be looked into.

Businesses that rely heavily on cash and have unpredictable income are structurally weak, and money launderers have taken advantage of this for years. Restaurants, car washes, laundromats, and other businesses that naturally deal with a lot of cash are good places to mix illegal cash with legal cash because the cash itself is expected and not unusual. When the reported cash revenue doesn't match what the business should be able to make based on its size, location, hours, and how many customers it seems to have, that's a red flag.

Geography gives almost every other red flag category more meaning. When a transaction involves a jurisdiction that international standard setters have called "high risk," it looks a lot more unusual than it does on its own.

The FATF gray and blacklists are the best way to tell if a place is a geographic risk. FATF has two public lists: The "gray list" of places that are being watched more closely and the "black list" (formally, "High Risk Jurisdictions subject to a Call for Action") of places that have big problems with their anti money laundering and combating financing of terrorism (AML/CFT) frameworks. Transactions with counterparties or accounts in these places are automatically more risky, and that risk needs to be taken into account when the institution looks at any activity related to them.

Tax havens are a different but related problem. People who launder money often use places where financial secrecy is high, disclosure requirements for beneficial ownership are low, and tax treatment is good to hide the trail of money or keep assets out of sight. Activity that goes through tax havens without a clear business reason is a good geographic indicator.

Conflict zones add another level of risk that is linked to both money laundering and funding terrorism. In places where there is active conflict, financial supervision may not be as good, people may have to move, informal economies may be working, and armed groups may be interacting with the financial system in ways that create unique risks. When dealing with areas affected by conflict, it's important to carefully think about the purpose of the transaction and the people involved.

Countries that don't have good AML/CFT rules, supervision, or enforcement, even if they don't appear on an official list, are riskier because they make it easier for money to move around without being checked. We need to pay more attention to correspondent banking relationships, payment chains that go through these jurisdictions, and customers who do a lot of business there.

You need to know the different types of red flags. You need the right tools to act on them, and not all tools work for all categories in the same way. A detection program is only useful if it matches the tool to the risk.

Sanctions screening is the best way to find customer level risk that is linked to specific people and groups. Screening against OFAC, UN, EU, and other relevant sanctions lists in real time catches the most serious type of known risk before a relationship is formed or a transaction is processed. Designation screening has to run at the front of the process, not as an afterthought. This is because FATF Recommendation 6 requires the ability to freeze assets without delay.

PEP screening covers the risk of politically exposed people that regular identity checks don't. Because the risk often travels through the network around a PEP rather than directly through the PEP themselves, PEP databases need to be complete, kept up to date, and able to cover not just the PEP but also their close friends and family.

Transaction monitoring is the main way to find red flags in transactions and behavior. A good transaction monitoring system doesn't just use a generic ruleset; it runs scenarios based on the institution's real risk profile. It also sends alerts that give investigators enough information to make useful judgments. The question of calibration is very important here. When scenarios are set too broadly, they send out too many alerts, which makes it hard for the investigations team to keep up and causes real signals to get lost. Scenarios that are too narrow miss real events. Setting the threshold correctly is an ongoing task, not something that can be done once.

Adverse media screening adds outside information to the picture of customer risk. Searching for bad news stories by hand is helpful, but it doesn't work on a large scale. Automated adverse media screening against structured databases of credible reporting related to financial crime, corruption, sanctions evasion, and fraud gives compliance teams a view of customer risk that internal data alone can't give them.

Customer risk assessment takes all of these signals and puts them together in a way that shows how risky each customer is. A good risk assessment framework takes the results of screening, transaction monitoring, and behavioral review and uses them to create a risk rating. This rating determines how much due diligence is done on the relationship: Standard due diligence for lower risk customers and enhanced due diligence for higher risk ones.

FUSION, Sanction Scanner's AI powered risk intelligence platform, combines all of these tasks into one working environment. AI driven risk scoring runs under a shared data layer that handles transaction monitoring, sanctions screening, PEP screening, adverse media screening, customer risk assessment, fraud monitoring, case management, and regulatory reporting. That integration is important in practice: A screening hit adds to the picture of transaction monitoring, a behavioral anomaly starts a targeted screening review, and the case management workflow connects the detection output directly to the investigation and reporting process. The red flag and the response are both in the same place.

Finding a red flag is the start of a process, not the end of one. And the process is just as important as the detection. If a red flag is found but then sits in a queue, gets escalated in an inconsistent way, or never makes it to a SAR filing decision, the institution hasn't really been protected.

The alert or indicator is what starts the escalation workflow. An alert for transaction monitoring goes off. A screening hit comes back as positive. A front line worker notices strange behavior from a customer. A periodic review brings to light activity that doesn't match the customer's profile. People have noticed something. That's the first step.

The first step is to look into things. The investigator, or the analyst in charge of the alert, looks over the information that is available. History of transactions. Profile of the customer. Account paperwork. Results of the screening. Outside information that is useful. At this point, the question is: Is there a reasonable explanation for this red flag, or does the investigation make the concern worse? If the investigation makes the concern worse, the case goes to enhanced due diligence (EDD). EDD is not a way to gather general information. It's a focused effort to figure out the exact risk that has been found, such as the source of the money, the reason for the relationship, the identity and background of important counterparties, and the business reason for the activity that raised the concern. EDD results either put the worry to rest or make it worse.

If the concern persists after EDD, meaning there isn't a good reason for the activity and the overall picture points to possible money laundering or other financial crime, the SAR filing decision is made. In the U.S., a SAR is filed when the institution knows, suspects, or has reason to suspect that a transaction involves money from illegal activity, is meant to avoid reporting requirements, or has no legal purpose. The SAR narrative needs to make it clear what was seen, what investigation was done, what explanation was or wasn't given, and why the activity still seems suspicious.

At each step of the workflow red flag, investigation, EDD, SAR decision there should be a record. Not just because regulators want to see paperwork, though they do. The documentation is what makes the program safe, easy to check, and able to get better over time.