AML Red Flags that VASPs and FIs should know

Structuring of Funds. Use of Mixers / Tumblers. Doctored identities. What are the AML red flags that you should be aware of? A summary of money laundering and terrorist financing indiciators highlighted by the FATF.


October 15, 2020 · 3 min read

As the use of cryptocurrency / virtual assets continues to rise, the Financial Actions Task Force (FATF) recently published a series of red flag indicators that virtual asset service providers (VASP) and financial institutions (FI) should be aware of. The report is intended to help exchanges, financial institutions and other businesses detect and report suspicious transactions and is based on more than 100 case studies collected through the FATF network.

We view it as a useful document for VASP to check their procedure against and a step towards clearer regulatory policies for cryptocurrency companies to operate in. The report highlights 6 indicators of concern:

  • Anonymity
  • Geographical Risks
  • Transaction Patterns
  • Transaction Size
  • Senders and Recipients Profile
  • Source of Funds or Wealth

As a quick check on whether your compliance regime satisfies the FATF requirements, check out our handy one-page infographic guide.

To cover actionable items that in-house compliance teams could work on, we break down the report into 3 areas: transactions, wallets and profiles.


The FATF found that the following types of transaction behaviour are suggestive of criminal activity:

  • Converting virtual assets into fiat at a significant loss
  • Use funds suspected to be associated with illicit activity
  • Engage virtual asset service providers based in countries with weak AML/CFT regulations
  • Make multiple high volume transactions in a short period of time

Case Study: A South Korea exchange reported that a KRW 400 million transaction was structured as multiple high value transactions into a single wallet. The funds obtained from phishing scams was transferred 55 times through 48 separate accounts held in different service providers before being transferred to a virtual asset wallet held abroad.

Mitigation Strategy: Enhance detection of suspicious transaction activities by using a smart transaction monitoring system that is not only able to detect suspicious amounts but also suspicious transfer patterns.

Enjoying the content?

Subscribe to get updates when a new post is published


The FATF found that the following types of wallet behaviour is suggestive of criminal activity:

  • Unhosted wallets linked to decentralized or P2P platforms
  • Use of anonymity enhancing services
  • Many unrelated wallets associated with a single IP

Case Study: Helix, a darknet based service provider based in the United States provides a mixing or tumbling service transferred over USD 300 million worth of Bitcoin to conceal transactions on the darknet from law enforcement. It partnered with the darknet marketplace AlphaBay until it was shut down by law enforcement in 2017.

Mitigation Strategy: Know your counterparty, thoroughly. This could be done by analyzing the source of funds that flows into a particular wallet to check for the use of mixers / tumblers and enhancing cyber-security services to detect suspicious IP behaviours.


The FATF found that the following types of profiles is suggestive of criminal activity:

  • Profiles with incomplete KYC/CDD
  • False identity information
  • Use of shell companies
  • Users going to extremes to hide their identities

Case Study: Cybercriminals based in the United States hacked an exchange and stole USD 250 million worth of virtual assets. The criminals laundered their stolen funds through various exchanges by using doctored photographs and falsified identity documents to circumvent KYC procedures.

Mitigation Strategy: Engage robust know your customer services that are able to flag out suspicious identity documents. Do not rely only on identity checks as a line of defence against money laundering activities. A well thought out compliance regime should cover KYC, KYT and cyber security practices.

Check out our full infographic which highlights other areas which VASPs and FIs should be aware of.

Interepreting the FATF Recommendations

At first glance, one might think that the recommendations are too onerous and many seemingly innocent transactions would be flagged. The FATF document acknowledges it and states that the indicators should not be the sole determinant as to whether a suspicious transaction report should be filed:

The mere presence of a red flag indicator is not necessarily a basis for a suspicion of ML or TF, but could prompt further monitoring and examination. Ultimately, a client may be able to provide an explanation to justify the red flag indicator, business or economic purposes of a transaction.

How can we come up with a way to flag the "meaningful" red flags? This requires a shift from a rules-based approach to a machine learning / AI-based one.

By training on past historical fraud and scam data, we are able to meaningfully tease out which combination of red flags deserve higher attention and which are typical profiles of users on the platform. Combining this approach with anomaly detection would decrease the number of false positives and increase the number of actual suspicious activities detected.

Talk to us to learn how AI-based fraud analytics could help compliance teams or sign up for a trial and learn how monitoring blockchain transactions could be done more effectively.

Enjoying the content?

Subscribe to get updates when a new post is published