Terrorist Financing Red Flags: What Compliance Teams Should Actually Look For

Terrorist financing doesn't often look like what compliance teams think it should. It isn't always big, hidden, or hard to understand. In a lot of cases, it looks like small, normal transactions that make sense at first but seem shady once you know more about the bigger picture. That's what sets terrorism financing (TF) red flags apart from other signs of money laundering. Companies need to look at more than just the size of a transaction to find them. They need to look at things like the customer's profile, where they are located, who they are dealing with, and how they behave on different channels. This article breaks down those warning signs in a useful way, using examples from banking, sending money, nonprofits, crypto, trade finance, and the most recent FinCEN guidance.

• Why TF Red Flags Are Not the Same as ML Red Flags
• Red Flags in the Banking Channel
• Red Flags for MSB and Remittance Channels
• Red Flags for Nonprofit and Charity Channels
• Red Flags for Cryptocurrencies and Virtual Assets
• Red Flags in Trade Finance
• The Operational Response: From Red Flag to SAR
• FinCEN Alerts and Advisories: The Most Recent TF Guidance

Why TF Red Flags Are Not the Same as ML Red Flags

Most Anti Money Laundering (AML) teams learn about warning signs that they are already familiar with. Big deposits of cash. Setting up. Quick movement of money. Layering that is hard to understand. Transactions that don't seem to have a business purpose. Of course, those are still big red flags. But they were mostly made to solve the problem of money laundering: getting dirty money clean before it goes back into the economy. The opposite is often true when it comes to financing terrorism. Money may start out clean and move in ways that don't look suspicious before being used for something illegal. FATF's standards and guidance on terrorist financing are very clear about this. 

That's why it's so hard to detect a $300 wire from a salaried worker to a family member living abroad. It might look like a normal remittance on the outside. It could also be part of a network of people who help each other. Just the number doesn't tell you much. The real signal is usually in the facts around it: does the destination match the customer's history? Is the beneficiary linked to a higher-risk corridor? Are there sanctions or negative media hits? Does the pattern fit known typologies? Appendix F of the Federal Financial Institutions Examination Council shows this broader view by putting customer profile, jurisdiction, and funds-transfer behavior together instead of just looking at transaction size. 

This is also why screening is the first step in terrorism financing (TF) defense. It's important to keep an eye on transactions, but screening is what finds the known names, aliases, phone numbers, email addresses, passport numbers, and wallet addresses that belong to certain people or groups. Financial Crimes Enforcement Network's (FinCEN) October 2023 Hamas alert and May 2024 advisory both made this point very clear: If a transaction has anything to do with Office of Foreign Assets Control (OFAC) designated identifiers, that fact matters even if the payment itself seems completely normal. In TF work, red flags that are based on context are often more important than red flags that are based on transactions.

Red Flags in the Banking Channel

People sometimes don't realize how important the banking channel still is. The US Treasury's 2024 National Terrorist Financing Risk Assessment says that terrorists still use banks and money transmitters to get what they want. A recent study of 121 cases found that traditional payment systems were used in 93% of them, while new fintech channels were only used in 7% of them. In other words, the old rails still do a lot of the work.

Some signs of trouble in banking may seem generic at first, but they make a lot more sense in a TF context. One example is when a customer sends or receives money to or from a higher-risk area that doesn't match their business or personal history. FFIEC directly points out that pattern. In money laundering, that could mean hiding something or mispricing a trade. In TF, it can mean that support is going into a conflict zone, a hub for helping people, or a corridor that is sensitive to sanctions. Sanctions screening and geography-aware transaction monitoring work well together as a control here. There are gaps when one is missing.

Another common pattern is a lot of small incoming transfers followed by a wire transfer to another country right away. It is also on the Federal Financial Institutions Examination Council’s (FFIEC) BSA/AML Examination Manual list. Why is it important for terrorism financing (TF)? Because it can mean collecting and moving on instead of building up. The goal may not be to get rich. The goal may be to quickly collect small donations and move them on before they sit long enough to get noticed. This is the kind of case where scenario tuning is important. Low-value aggregation rules, rapid-outbound movement rules, and jurisdictional overlays usually catch more than one high-value threshold.

Customer profile red flags are just as important. If the stated job doesn't match the level of the transaction or the way the payment is made, that's not just an AML issue. It could mean raising money for a third party, helping out, or acting on behalf of a network. The FFIEC also talks about customers who have more than one account and move money between them before sending money to places that are more likely to be risky. That could be money laundering again. But in TF cases, it can also be an attempt to break up visibility inside the institution, create distance from the originator, or stage funds before a final transfer. So, monitoring should connect related accounts instead of looking at them one at a time.

The most basic banking red flag is still the strongest: Transactions with parties that OFAC has designated or with identifiers linked to them. FinCEN's Hamas alert and May 2024 advisory both clearly list not only named parties but also email addresses, physical addresses, phone numbers, passport numbers, and virtual-asset addresses linked to those parties. That's why it's so important to design the screening process well. Screening by exact name isn't enough. Institutions need to be able to screen both counterparties and direct customers, as well as use identifiers, transliteration, fuzzy matching, and other tools.

Red Flags for MSB and Remittance Channels

Money Service Businesses (MSBs) are at the heart of the TF problem. According to the US Treasury's 2024 National Terrorist Financing Risk Assessment (NTFRA), MSBs filed almost 72% of all SARs related to terrorist financing between 2020 and 2022. It also says that MSBs have a lower SAR filing limit than many other organizations: $2,000 instead of $5,000. That doesn't mean that MSBs are always suspicious. It does show why this channel gives us so many useful TF reports.

The first warning sign here is that there are a lot of small-value transfers going to different people in areas that are affected by conflict or are sensitive to terrorist financing. That could still be normal remittance activity on its own. But when one sender keeps sending money to different people in places that are known for helping terrorists or being in the middle of a war, things change. The 2025 FinCEN ISIS advisory says that low-dollar MSB transfers and remittances to many people in places where ISIS is known to operate are a significant sign. Monitoring needs to go beyond looking at one beneficiary at a time and find corridor-based spreading behavior.

Structuring is also a little different in MSBs. Transfers that are below the threshold are an old compliance issue, but in TF they matter because the amounts are often very small. That means that a series of transfers that are just below the MSB limit can be both useful and suspicious. The harder cases aren't the ones that are clearly made up. They are the ones that still make sense for a real customer in terms of money. This is why scenario design needs to take into account threshold behavior, destination, beneficiary pattern, and customer profile.

A third warning sign is using more than one MSB in the same area to keep any one institution from getting a complete picture. The Treasury says that smaller MSBs may be more at risk for TF because their AML/CFT programs may not be as strong and they may not be watched as closely as larger global operators. That doesn't mean you should be concerned about every remittance business in your area. It is a reason to treat repeated use of different transmitters, changing beneficiary information, and high-risk corridors as signals that need to be escalated. Screening both the sender and the receiver is still important here because known or sanctioned actors do use remittance channels.

Transfers to areas where hawala is known to happen should also be looked at more closely. This is not because hawala is always illegal, but because formal and informal systems often work together. The Treasury's 2024 NTFRA says that ISIS still uses a lot of hawala and cash. It also talks about how hawala networks in Türkiye and Iraq move money from donors to people linked to ISIS. In practice, this means that remittance monitoring should look at some corridors as more than just places on a map. This is where a separate hawala article should go in the cluster for a more in-depth look.

Red Flags for Nonprofit and Charity Channels

You need to be careful with this part. Most non-profit organizations (NPOs) don't pose a risk of funding terrorism. Financial Action Task Force (FATF) Recommendation 8 does not give you permission to be suspicious of the whole sector. It says the opposite: Find the small group of organizations that are really at risk of being abused by terrorists and take targeted, appropriate, and risk-based steps. That little detail is important because reporting too much can keep real nonprofits from getting bank access, which doesn't help anyone.

Still, some patterns are worth paying attention to. FATF, Egmont, and Australian Transaction Reports and Analysis Centre (AUSTRAC) all point to a familiar set of signs: Donations that don't seem to be going to real charities, operations in conflict zones without clear program reporting, large public fundraising by groups or people who aren't registered or incorporated, cash deposits from people who aren't known, and ties to groups or people with extremist views. Egmont's 2024 report breaks down the ways that people abuse into six common types: stealing money, joining a terrorist group, abusing NPO programs, helping with recruitment, lying about who they are, and raising money through social media.

The AUSTRAC case studies help make these patterns less vague. One time, an unregistered local NPO put on a big public event, put the money into another NPO's account, and then slowly took some of the money out and sent it to a conflict zone in the Middle East. Another NPO got money through electronic transfers and frequent large cash deposits. It was linked to a religious group that was known for reporting on violent extremist views, and it couldn't fully explain how it used all of its money. Those aren't stories about how risky charities are. They are stories that say "context matters."

For compliance teams, the best course of action is to do more thorough research instead of just being suspicious. You need to know about governance, signatories, expected donors, the program's footprint, exposure to conflict zones, and how the money is really given out. Screening connected parties is also important here. This includes not only the NPO's name, but also its signatories, branches, foreign partners, and counterparties. If you have a cluster article about NPO abuse and funding for terrorism, this is the best place to send readers to it. 

Red Flags for Cryptocurrencies and Virtual Assets

A lot of people talk about how crypto is used to fund terrorism. Some of that attention is deserved. Part of it is hype. Treasury's 2024 NTFRA says that terrorists are still more likely to use traditional financial products and services, even though groups like ISIS and Hamas have learned more about virtual assets and used them more often. The same report says that most terrorists who use virtual assets still do so by raising money online, often through social media or encrypted apps like Telegram.

Being linked to known or suspected addresses linked to terrorists or donation campaigns is the clearest sign of crypto fraud. FinCEN's October 2023 Hamas alert makes it clear that institutions should look for virtual-currency addresses when they are looking into suspicious activity related to Hamas. This means that checking for sanctions on virtual assets shouldn't be seen as a side project. It is the main part of TF control. Blockchain analytics alerts can help with this, but institutions still need a clear way to move up the chain when an address shows up on a terrorist-linked list or touches a known campaign wallet.

The FATF's 2020 virtual-asset red flags are still helpful. They look at things like transaction patterns, anonymity features, sender and recipient behavior, source-of-funds issues, and geography. In real life, that means that mixing or tumbling services, quickly turning virtual assets into cash and then withdrawing them right away, peer-to-peer transfers that don't go through regulated VASPs, and using weakly supervised VASPs over and over again should all make things hotter. The 2024 NTFRA from the Treasury says that peer-to-peer transfers, unhosted wallets, OTC brokers, and supposedly decentralized exchanges can be used together in layers to hide things, especially when AML/CFT supervision is weak.

There is one point that is worth keeping in mind. The Treasury says that terrorist groups have not used technologies that make them harder to find very much so far. The risk of crypto is real, but it's not the only thing going on. The lesson for compliance teams is not to "treat all crypto as terrorism risk." "Screen wallets, know what VASP exposure is, and don't let low-dollar online fundraising go unnoticed just because it doesn't fall under the usual bank monitoring." A full technical treatment should be done in a separate crypto TF article.  

Red Flags in Trade Finance

Red flags for trade finance often look like red flags for sanctions, but in a different way. Things that don't fit with the customer's business. Shipments going through areas with a higher risk for no clear reason. Prices that make it look like you're charging too much or too little. Documentary credits with terms that are very lenient. Items that can be used for both military and civilian purposes. None of that is enough to prove TF on its own. But when you look at all of these patterns together, they can suggest that trade is being used to move value, hide who is buying and selling, or support procurement activity instead of real commerce. Both FATF and FinCEN see trade abuse as a big problem for AML/CFT, even though the line between trade-based money laundering and trade-based terrorist financing can be hard to see in real life.

It's easy to see why this is important for TF. Trade can pay for, equip, or hide things. It's a strange KYC point that a steel company is suddenly selling pharmaceuticals. It could mean that a trading company is being used as a front or that someone is trying to move goods and money outside of the customer's normal profile. The May 2024 FinCEN advisory on terrorist groups supported by Iran specifically calls out general trading companies with unclear business purposes, unclear ownership, and beneficial ownership linked to Iran as risk factors. That has clear effects on how trade finance is controlled.

Sanctions screening and export controls also need to be closer to AML/CFT than they usually are in real life. It shouldn't be looked at as a trade operations issue if a shipment has dual-use goods, goes through a conflict zone, or has counterparties in high-risk areas. It is also a crime against money. If you have a separate article about how terrorists get money through trade, this is the right place to stop.

The Operational Response: From Red Flag to SAR

A red flag doesn't mean the process is over. It is the beginning of one. That seems clear, but a lot of compliance writing still ends with the list. In real life, the workflow is just as important as the indicator.

First, there is the hit or alert. The first step is to figure out if it's a true match or a false positive. This step can include name matching, identifier matching, wallet exposure, geography, and customer-profile checks for sanctions and TF work. FinCEN's terrorism warnings tell institutions over and over again not to rely on just one red flag, but to look at all the facts and circumstances. That isn't a legal boilerplate. It is the real way it works.

The next step is to look into the alert if it passes the first review. Get the customer's profile, transaction history, counterparties, connected accounts, sanctions results, beneficial ownership, and negative media. You should also know about program footprint and governance for NPOs. Wallet intelligence and VASP exposure are important for crypto. For MSBs, how corridors work and how often beneficiaries repeat themselves are important. Then there's escalation: Should this go to the Money Laundering Reporting Officer (MLRO) or the Bank Secrecy Act (BSA) officer, and is it worth filing a Suspicious Activity Report (SAR)?

The details of filing a SAR are important when one is needed. The most recent update to FinCEN's SAR key terms page was in February 2026. It lists the terms that institutions should use for the relevant advisories that deal with terrorism financing. FIN-2023-TFHAMAS is the most important word for Hamas. The advisory for Iran-backed terrorist groups in May 2024 is IRANTF-2024-A001. It is ISIS-2025-A001 for the April 2025 ISIS advisory. The underlying FinCEN publications also tell institutions to choose SAR field 33(a), which is "Terrorist Financing-Known or suspected terrorist/terrorist organization."

And then, maybe the least exciting part: Paperwork. Keep the trail of the audit. Write down why the alert was closed or moved up. Keep the extra information. In TF cases, the quality of that record is important because a small payment can seem harmless until a second or third data point changes the story.

FinCEN Alerts and Advisories: The Most Recent TF Guidance

FinCEN keeps changing its rules about how to stop terrorists from getting money, and these changes are important because they do more than just explain the risk. They also tell organizations what to look for, how to frame it, and which SAR key terms to use when something goes too far. As of March 2026, FinCEN's SAR key terms page has TF-related links to the October 2023 Hamas alert, the May 2024 advisory on terrorist groups backed by Iran, the October 2024 Hizballah alert, and the April 2025 ISIS advisory.

The Hamas alert from October 2023 is still one of the best places to start. It makes sense and It tells organizations to pay attention to more than just names on sanctions lists. They should also pay attention to identifiers linked to designated actors, such as phone numbers, email addresses, physical addresses, and virtual asset addresses. It also talks about donations made through social media, especially when there are extremist images or messages next to the fundraising. For SAR purposes, FinCEN tells people to use the keyword FIN-2023-TFHAMAS and choose field 33(a) for terrorist financing.

The May 2024 advisory makes the picture bigger. It's not just about one campaign; it's more about the whole financing system for terrorist groups that are supported by Iran. There are a lot of red flags here, including suspicious trading companies, MSBs or VASPs that aren't well-controlled in high-risk areas, NPOs that raise money, and payments that have references to terrorism or sanctioned identifiers. FinCEN wants the SAR key term IRANTF-2024-A001. What makes this advisory helpful is that it makes compliance teams think about all of their products at once instead of just one system at a time.

The ISIS advisory for April 2025 is the next one. This one is especially helpful because the examples seem so normal at first. People used to book travel for multiple unrelated people using credit cards or bank accounts. Small payments that come in and are then grouped together and sent out. Social media appeals that say they help women and children in camps in Iraq or Syria, but they might really be for ISIS-linked fundraising. Sending money to a number of people in places that help ISIS. The SAR key term you asked for is ISIS-2025-A001, and it is again field 33(a).

FinCEN guidance is not something you read for fun. It changes how to look at alerts, how to adjust scenarios, and how to write SAR narratives. The controls should also change if the alerts do. If not, the program will start to fall behind in risk.

The hardest part about terrorist financing red flags is that many of them don't seem very serious. They seem normal. A small payment. A small gift. A bank transfer that would never stop a money laundering analyst just because of the amount. That's the problem.

TF detection isn't so much about finding the biggest deal in the room as it is about figuring out the pattern around a deal that looks normal. Screening finds the actors that are already known. Monitoring catches the actions. Good investigations link the two. And good SARs make that internal picture useful for police.

A flat list of red flags and a working compliance program are very different things. One tells you what to look for. The other one tells you what to do next.