Banks / Depository AML Red Flags

Customer deposits or withdraws cash in amounts just below the $10,000 CTR threshold on multiple days within a short period, with no legitimate business explanation for the pattern.

Multiple customers use the same address or phone number to make cash deposits just below reporting thresholds, suggesting a coordinated network of individuals working for the same structuring scheme.

Wire transfer is sent to or received from a high-risk jurisdiction known for money laundering, with no apparent business, family, or personal connection to that country.

Business customer’s wire instructions are altered via compromised email, redirecting funds to a fraudulent account with a slightly different beneficiary name or account number.

Customer provides identification that appears altered, forged, or inconsistent with the person presenting it, including mismatched photos, expired credentials, or missing security features.

Synthetic identity created using a real Social Security number combined with fabricated personal information opens a bank account, passes ChexSystems, but fails deeper identity verification.

Corporate customer sends wires on behalf of undisclosed principals, or the stated beneficial owner is a nominee shareholder with no independent wealth, employment, or verifiable background.

Transaction patterns show sudden and significant changes in volume, frequency, or typology that are inconsistent with the customer’s established activity profile, suggesting account takeover or new criminal use.

Customer is a money mule: receives funds from multiple unrelated sources and immediately forwards them to other individuals or entities, acting as an intermediary with no apparent economic purpose.

Politically Exposed Person (PEP) or a close associate conducts large cash transactions that appear disproportionate to their known sources of income or legitimate wealth.

Multiple individuals use the same phone number or address to receive wire transfers, with none able to explain the source or purpose of the funds independently.

Funds are sent to or received from individuals, entities, or charities linked to designated terrorist organizations or individuals on OFAC SDN lists.

Customer uses virtual currency exchanges or mixers to obfuscate the origin or destination of funds, particularly involving sanctioned jurisdictions or SDN-listed individuals.

Customer reports that their online account was compromised and unauthorized wire transfers were initiated, with rapid fund movement to overseas accounts and no prior history of international wires.

Customer receives funds and is instructed to convert them to virtual currency and send to a specific wallet address as part of a job offer, romance scheme, or investment opportunity.

PEP or family member maintains accounts with large balances or frequent transactions that cannot be explained by documented salary, business income, or known sources of wealth.

High-risk customer account lacks enhanced due diligence documentation, including missing source of wealth verification, beneficial ownership breakdown, or purpose of the banking relationship.

Customer conducts cash transactions at multiple branches of the same bank on the same day, each branch below the threshold, but the aggregate exceeds the reporting requirement.

Business customer makes frequent large cash deposits that are inconsistent with the nature of the business, particularly when the business type typically does not handle significant cash volume.

Customer consistently exchanges large volumes of small-denomination bills for larger denominations or vice versa, with no stated business or personal reason for the repeated exchanges.

Business customer receives large incoming wires from shell companies with no visible commercial relationship and immediately forwards the funds to unrelated third parties in different jurisdictions.

Customer sends multiple wires to the same overseas beneficiary within a short period, with varying stated purposes that appear inconsistent with the customer’s established profile.

Customer receives a wire from a cryptocurrency exchange and immediately forwards the funds to a different account, with no stated purpose for the rapid movement and no history of crypto trading.

ACH transactions from a business customer show round-dollar amounts with no supporting documentation or invoices, and the receiving entities have no apparent commercial relationship.

Account shows sudden spike in ACH debit activity to previously unknown merchants, particularly in categories associated with sweepstakes, foreign lotteries, or unregistered investment products.

Customer deposits third-party checks made out to multiple different payees but endorses them all in the same handwriting or with identical signature styles, suggesting forged endorsements.

Customer deposits checks drawn on accounts in high-risk jurisdictions or from individuals with no apparent connection to the customer, followed by immediate cash withdrawal or wire transfer.

Customer refuses to provide required identification or provides incomplete or suspicious documentation, such as a foreign passport from a high-risk country with no U.S. visa or residency permit.

Business customer is unable or unwilling to identify its beneficial owners, or the listed owners have no discernible connection to the business operations or industry.

Customer conducts transactions that appear designed to create complex layering, such as rapid conversion of cash to checks to wire transfers within hours, with no legitimate business purpose.

Account shows velocity activity: funds are deposited and withdrawn or transferred within minutes or hours, with no legitimate holding period consistent with normal banking behavior.

Business account receives large deposits from payment processors, fintech platforms, or crowdfunding sites, then immediately wires the funds to unrelated third parties with no commercial explanation.

Account is used to receive unemployment insurance deposits from multiple state agencies using the same SSN, with immediate withdrawal or transfer to a common recipient account.

Customer frequently transacts with or sends funds to countries under OFAC sanctions, FATF high-risk jurisdiction designations, or known money laundering havens, with no legitimate business or family ties.

Customer appears nervous or evasive during routine transactions, avoids eye contact, rushes the process, or attempts to distract staff from normal identification and documentation procedures.

Incoming wire transfers or prepaid card loads from escort services, massage parlors, or short-term rental operations that exhibit patterns consistent with forced labor exploitation.

Charitable or nonprofit customer sends funds overseas without adequate due diligence on the end recipient, particularly to conflict zones or regions with terrorist presence.

Business customer receives payments from entities in jurisdictions subject to comprehensive sanctions, routed through intermediary countries to conceal the true origin of the funds.

Elderly customer is accompanied by a younger individual who dominates the conversation, provides all instructions, and prevents the customer from speaking directly to bank staff.

Business customer’s account shows unauthorized changes to wire instructions followed by large outgoing wires to new, unverified beneficiary accounts with no corresponding legitimate business activity.

Business customer conducts trade-related wire transfers with pricing that is significantly inconsistent with commodity market values, suggesting invoice manipulation or over/under invoicing.

PEP receives wire transfers from a foreign government-owned bank or ministry, with the memo referencing contracts, consulting fees, or services that cannot be independently verified.

PEP uses family members or close associates as account signatories or wire initiators to distance themselves from transactions, particularly for large or frequent international transfers.

Business customer opens an account with minimal documentation, provides no financial statements, and the stated business purpose is vague or inconsistent with the anticipated transaction profile.

Customer brings cash in worn, rubber-banded, or unusually packaged bundles that do not appear consistent with normal banking patterns, and the cash smells of drugs or chemicals.

Personal account receives recurring ACH credits from multiple unrelated employers in different states, with no corresponding tax withholdings or W-2 documentation.

Business customer deposits checks from unrelated companies with memo lines referencing goods or services that do not match the customer’s stated business type or industry.

Customer frequently changes contact information, address, or phone number within short timeframes without explanation, or uses multiple mailing addresses in different states.

Funds are wired to or from a country with weak AML controls, where the stated purpose of the transfer is inconsistent with typical remittance corridors or the customer’s known connections.

Customer makes repeated inquiries about the bank’s reporting thresholds, CTR filing procedures, or how to avoid triggering recordkeeping requirements for cash transactions.

Elderly customer suddenly begins wiring large sums to previously unknown individuals, particularly those claiming to be family members, government officials, or lottery representatives.

Import/export business shows payments for goods that are never shipped, with no corresponding bills of lading, customs documentation, or shipping records to support the transactions.