top of page
  • Writer's pictureDavid Walker

New Front Lines Observed in AML Investigations

Chapter Content

  1. A Sea of Change

  2. The New Front Lines

  3. Conclusion

1. Sea of Change


The year 2022 is proving to be a watershed moment in the history of financial crime enforcement. The war in Ukraine has triggered a Western response in the form of unprecedented economic sanctions, starting with a focus on assets controlled worldwide by the so-called “kleptogarchs”, high-net-worth Russians with ties to the current government. To enforce these sanctions, governments are taking unprecedented steps to present a unified, coordinated front. In March, the US Department of Justice and enforcement agencies of US allies jointly launched an international, interagency group to systematically track the network of individuals and entities controlled by these oligarchs – the Russian Elites, Proxies, and Oligarchs (REPO) task force. In parallel, erstwhile bank secrecy havens such as Switzerland adopted mirror versions of the EU’s sanctions regime, further restricting the number of outlets that could be used to evade international financial crime enforcement.

In short, global financial crime enforcement is clearly entering a high intensity phase. And while the catalyst for this has been the world’s focus on constraining Russia, the enforcement surge promises to shine a spotlight on many pre-existing areas of anti-money laundering (“AML”) compliance risk, including the Iran economic embargo, China economic sanctions related to Hong Kong and Xinjiang policy, narco-trafficking, counter-terrorist financing, and international organised crime. The old risks have not waned. The result is dramatically raised stakes across the board for AML compliance.

At the same time, no one is more aware of this international enforcement surge than the financial criminals themselves. Efforts to evade detection are ramping up to stay ahead of enforcement, as bad actors gravitate towards paths of least resistance. They are seeking new destinations (both geographic and sectoral) and are employing new technologies to transfer value across borders in anonymised, less traceable ways. This chapter offers a high-level overview of some of these rapidly emerging areas of financial crime vulnerability. All companies, not just financial services firms, will need to stay alert to these emerging trends with more robust monitoring, risk identification, and investigation.

2. The New Front Lines


A. Real estate

As regulated financial institutions deploy ever more sophisticated AML detection tools and processes, launderers are increasingly turning to less scrutinised assets with which large amounts of value can be exchanged in a single transaction. For global regulators and law enforcement, top of mind in this category are Real Estate Money Laundering (“REML”) schemes. The United States is the primary REML target. According to a Washington, D.C. think tank, cases reported between 2015–2020 suggest that more than US$2.3 billion was laundered through US real estate during that period, which is likely only a fraction of the total sums laundered through real estate. REML is also prevalent in high-value real estate locations around the world, such as the UK, EU, Canada, Australia, and New Zealand. Real estate is an attractive target in part because of the typically one-off nature of property purchases: sellers tend not to maintain relationships with their clients, making it more difficult to examine for high-risk patterns and identify suspicious activity. Moreover, the agents facilitating real estate transactions – such as lawyers, brokers, and escrow agents – are subject to mild to nonexistent AML scrutiny in G7 countries. Finally, the customary use of special purpose companies in real estate transactions adds a layer of complexity to conducting effective Know Your Customer (“KYC”) diligence.

Global financial crime enforcement bodies are gradually responding to this growing risk. The EU’s 5th Anti-Money Laundering Directive, enacted on 10 January 2020, extends AML regulatory controls to include real estate firms, real estate brokers, estate agents, and rental intermediaries. In the US, the Financial Crime Enforcement Network (“FinCEN”) has turned to Geographic Targeting Orders (“GTOs”) as a monitoring tool. GTOs, launched in 2016 and expanded in October 2021, impose identification and record-keeping requirements on high-value, cash-executed real estate transactions occurring in high-risk locales. FinCEN expects covered real estate businesses to conduct and document “reasonable” due diligence and report unusual activity as needed.

Current GTOs cover counties within the following major US metropolitan areas: Boston; Chicago; Dallas-Fort Worth; Honolulu; Las Vegas; Los Angeles; Miami; New York; San Antonio; San Diego; San Francisco; and Seattle. Studies suggest that GTOs have had a dampening effect on the role of shell companies in purchasing residential real estate, finding that the introduction of GTOs on US title insurance companies led to a 70% drop in corporate entities purchasing loan-free, luxury residential real estate in 2016.

However, there is no shortage of alternative markets where such requirements are not in place. GTOs cover only a handful of the 3,000 counties in the US, and REML attention is turning to secondary markets such as the industrial Midwest – where GTOs are not in effect and customer due diligence is not as robust – to execute high-value cash purchases. As a result, over 60% of REML cases in the US have occurred in non-GTO counties. Moreover, in 2020, Suspicious Activity Reports (SARs) originating from the real estate sector constituted only 0.21% of all SARs issued in the US. GTOs facilitate a national game of AML whack-a-mole. For this reason, with bipartisan congressional support, FinCEN has issued a notice of intent to craft supplemental AML requirements for real estate sales.

With greater government scrutiny on the way, sellers or agents looking to take reasonable measures to detect REML risk can consider these classic indicators:

  • use of unusual, multi-layer special purpose companies and other complex corporate structures that conceal the beneficial owner of the asset;

  • purchase of commercial property without a clear or logical business purpose;

  • prices unusually higher than appraised value; and

  • unexplained use of cryptocurrency and other virtual assets (covered in more detail below).

These indicators, alone or in combination, should spur a more detailed investigation into the ultimate beneficial ownership of the funds to determine whether they originate from, inter alia, politically exposed or otherwise sanctioned or restricted parties.

B. Chinese Underground Banking and tech-enhanced Informal Value Transfer Systems

Whether they are known as Hawala, Fei Chien, or the Black Market Peso Exchange, Informal Value Transfer Systems (“IVTS”) predate the modern banking system. These unofficial systems of exchange, reliant on person-to-person communications to transfer ownership of funds between informal “nodes” in different regions, have been a service to the underbanked around the world. They also serve as an effective vehicle for laundering the illicit funds of narcotics traffickers, terrorists, and international organized crime figures.

These systems are highly dependent on the security of their communications platforms and, as a result, have traditionally been organized along ethnic and regional lines. Today, these lines are blurring with the introduction of sophisticated messaging platforms, encrypted or otherwise, which allow for instant, closed communication between parties anywhere in the world. As a result, IVTS is becoming a tech-enabled, globalized enterprise.

Nowhere is this more apparent than in the emergence of the so-called “Chinese Underground Banking” system. Chinese Underground Banking has rapidly expanded in recent years in response to increasing restrictions and oversight of Money Service Businesses (“MSBs”) in US and European markets, as well as Chinese government efforts to crack down on capital flight from China. It also facilitates the widespread practice of “daigou”, in which Western high-end goods are sold at a profit on Chinese black markets.

This underground system, designed to discreetly handle large amounts of cash, originated as a money transmittal service for the Chinese diaspora. It has been brought to another level of efficiency and security with the introduction of the hugely popular WeChat platform. To call WeChat an instant messaging service is an understatement; rather, it is a multifunctional virtual environment that offers communications and electronic payments to 1.2 billion users, approximately 200 million of them outside of China. And while it does not offer peer-to-peer encryption like WhatsApp, Signal, and Telegram, user information is discoverable only by the Chinese government, not Western law enforcement.

In the Chinese Underground Banking scenario, WeChat acts as a virtual marketplace in which Chinese “controllers” coordinate a network of (i) fronts to collect illicit cash, (ii) processors in the PRC, which can layer the value of the funds with export invoices (a.k.a trade-based money laundering), and (iii) recipient accounts held by front companies in the home countries of money launderers.

The growth of this practice has been a cause of concern for law enforcement in both the US and Europe. US authorities recently dismantled an underground banking ring in New York that was suspected of laundering tens of millions of dollars for Mexican cartels, handling drug cash from as far away as Atlanta. As Chinese shadow banking has reportedly become the service of choice for Mexican cartels, the 2021 US National Defense Authorization Act has tasked the Treasury Department with developing an enforcement strategy tailored to Chinese underground banks. An intelligence assessment from the UK’s National Crime Agency suggests the threat is also significant in the UK, where a single bank identified more than 14,000 compromised bank accounts through which over £100 million was laundered in a single year.

For AML officers at financial institutions, the Chinese Underground Banking system can manifest in customer account activity. As in any laundering scheme, illicit cash is layered in seemingly legitimate bank accounts on the front and back ends. For example, UK law enforcement found that underground banking controllers targeted Chinese students to act as “smurfs”. Recruited on apps like WeChat, students are encouraged to allow their bank accounts to be used for a fee, ostensibly to help other students with money transmittal services. Gradually, the controllers add multiple accounts at different banks and accept larger amounts of money to capture more fees. In one case, a network established 600 such accounts at a single bank. Many participants in the New York ring were college students who deposited hundreds of thousands of dollars in their bank accounts. Livery companies and restaurants were also regularly utilized.

With this in mind, longstanding risk identification methods can still be effective. There are classic telltale signs that may trigger alerts, such as unusual account opening surges concentrated either by location or business type, or balances or transfer that are incongruous with the type of account holder (i.e., the accumulation of hundreds of thousands of dollars in student accounts). As with other money laundering schemes, significant cash deposit or withdrawal activity not commensurate with the account holder or type may also reveal the illicit use of accounts. Commercial or academic recipients of funds should look out for unusual cash activity or third-party payments that are indicative of laundering activity. Understanding the mechanics of an IVTS network, if necessary, with the help of independent investigators hired for the higher risk cases, will help to pinpoint high-risk accounts.

Unfortunately, for the time being, corporate AML officers cannot rely on receiving useful financial intelligence from the Chinese side of the underground banking equation. The Chinese government has recognised the substantial money laundering problem posed by WeChat. Tencent Holdings Ltd. is reportedly facing fines of hundreds of millions of yuan from the People’s Bank of China for violating Chinese AML regulations – such as by ignoring merchant identification requirements – related to the WeChat pay service. However, the Chinese have focused this enforcement activity on domestic money laundering, which does little to help complete the picture of underground banking networks. A basic financial intelligence disconnect between the West and China remains; and, given the current geopolitical climate, it is not likely to improve in the near future. AML officers and corporate compliance officials will need to move forward on their own, using the typologies and trends outlined here to identify suspicious transactions and potentially compromised customer accounts.

C. Crypto: Blockchain-enabled financial crime

Similar to the underground banking systems discussed above, blockchain technology has created ways to circumvent the traditional financial system and, in so doing, create new avenues for both the legitimate and illegitimate transfer of funds on an instantaneous, global basis. This transformation is happening on two fronts: Decentralized Finance; and the rapid adoption of cryptoassets. So-called “Decentralized Finance”, or “DeFi”, allows for direct exchange of cryptoassets – including stablecoins, other cryptocurrency, and non-fungible tokens (“NFTs”) – outside the mainstream financial system and increasingly within the self-contained virtual ecosystem of the “metaverse”. The rapid adoption of cryptoasset products and services by regulated exchanges and financial institutions, and within sectors such as real estate, art, and gaming, shows that cryptoassets are entering the mainstream, with serious implications for AML risk and detection.

Criminals, who have always been early adopters of technology, will no doubt take advantage of the convergence of cryptoassets and regulated financial institutions. No longer relegated to dark web transactions, criminals and sanctioned individuals are finding new ways to transfer illicit funds between the cyber realm and the fiat currency system. At the moment, the two leading methods for doing so are (i) the use of illicit crypto exchanges with few, if any, KYC requirements, and (ii) the use of “money mules”, which hide the source of funds, on legitimate exchanges.

Blockchain analytics firm Chainalysis estimates that $8.6 billion was laundered in “crypto-currency native” transactions in 2021, and that $33 billion has been laundered since 2017. While this is only a small percentage of the $800 billion to $2 trillion laundered annually in fiat currency, it is expected to grow in tandem with the adoption of cryptoassets in the mainstream economy. Also, the international sanctions push related to the war in Ukraine is fuelling crypto-driven sanctions avoidance. Blockchain analysts have observed that crypto-driven laundering activity has been heavily concentrated in a comparatively small number of deposit addresses and exchanges: in 2021, only 583 addresses received 54% of illicit crypto payments by value. However, this is changing rapidly as addresses and exchanges are targeted by organizations such as US Treasury Department’s Office of Foreign Assets Control (“OFAC”), which is prompting these high-value launderers to increasingly turn to DeFi protocols in order to avoid centralized services altogether.

On a related front, another category of cryptoassets – NFTs – has emerged as a high-growth area for laundering of illicit funds. In 2021, sales of art and collectible NFTs – sold on NFT platforms on the Ethereum, Flow, and Ronin blockchains – comprised $11.1 billion of the global reported $65.1 billion in turnover on those platforms. As a point of reference, external sales in these two categories on blockchains were only $4.6 million in 2019. The overall market for NFTs in 2021, which includes other categories such as virtual real estate in the metaverse, is estimated to be $44 billion. One of the suspected drivers of this exponential growth is so-called “wash trading”, i.e., self-sales using related Ethereum wallets, making NFTs perhaps the area of most-pronounced, crypto-based AML risk at the current time.

The global regulatory response is incoming. Most Financial Action Task Force (“FATF”) Member States have regulated cryptocurrency businesses as they have traditional financial institutions and MSBs, requiring them to conduct KYC checks and follow suspicious activity reporting protocols. In the US, FinCEN and various regulatory bodies are considering enacting stricter requirements for transactions involving unhosted wallets not associated with exchanges or other centralized cryptocurrency services. In October 2021, OFAC published sanctions compliance guidance for the virtual currency industry, which emphasises that cryptocurrency companies conducting business in the US will not be treated any differently by OFAC than a US company transacting in traditional currencies and, therefore, they must comply with OFAC sanctions when operating within US jurisdiction. Every institution offering crypto products and services should expect these signals of priority regulatory attention to translate into real-world enforcement activity in the coming months.

So what are some emerging strategies for organizations to effectively monitor crypto-related AML risk? For the time being, any crypto payment should be considered a risk factor that triggers enhanced diligence and oversight on customers and exchanges. Such oversight is complex, but not impossible. Cryptocurrency is broadly misunderstood as an “anonymous” vehicle but, in some ways, crypto addresses – the balances and transaction histories of which are accessible on public blockchains – are more transparent in the public domain than in the fiat currency system and, as such, can be mined for risk-monitoring purposes.

With that in mind, some typical risk factors can be indicative of heightened risk, such as:

  • use of known “tumblers” or “mixing” services – essentially “layering” activity in traditional AML terms – or identified high risk exchanges

  • typical “Money Mule” activity such as routing unusually large transactions to multiple, seemingly unrelated accounts

  • traditional structuring behavior involving multiple transactions just below reporting thresholds, particularly in sectors such as gaming and art

  • linkage between accounts used to purchase cryptoassets and accounts used for illicit purposes, including suspected dark web transactions, ransomware, and other criminal activity.

The challenge is in connecting the dots, using: (i) blockchain analytics to track unusual activity and linkage between suspicious addresses, wallets and exchanges throughout the blockchain; (ii) cluster mapping to pinpoint flows and concentrations between high-risk actors; and (iii) open source intelligence – gathered in-house or with the help of external investigators for more complex matters – to provide context on the identity and reputation of potential illicit wallet holders and exchange operators in the brick-and-mortar world. One thing has become clear: all these tactics need to be utilised in tandem in order to effectively gauge overall AML risk. Launderers are quick to change tactics, so AML risk managers need to keep abreast of the typologies and tools relating to cryptoassets.

3. Conclusion

This chapter has outlined three rapidly developing avenues for money laundering and sanctions avoidance. They present substantially different operational profiles, but all offer money launderers the opportunity to transact with relative anonymity and lack of oversight, compared to more regulated mainstream financial institutions. This is also true for related risk areas not covered in this chapter, such as high-value art, luxury goods, and luxury vehicles. At the same time, new havens for shell and front companies are emerging to help facilitate these transactions, based in the “usual suspect” bank secrecy havens around the world, but also,increasingly, in less obvious jurisdictions such as South Dakota and Delaware. One thing is clear: AML risk is a fast-moving target, requiring a multipronged investigative approach to keep pace with creative and well-resourced financial criminals.


bottom of page