- Jul 02, 2026
- 12 min read
Inside AML Investigations: Spotting and Reporting Financial Crime
Learn how AML investigations work: spot suspicious activity, read AML red flags, file SARs and meet AML regulations.

Financial crime is becoming more sophisticated, more international, and more technology-driven, as shown in our latest Identity Fraud Report. Fraudsters now exploit a potent mix of techniques and technologies, including the latest AI-powered tools. In response, regulators are tightening reporting obligations: the EU's new Anti-Money Laundering Regulation (AMLR) widens the scope of entities required to file Suspicious Activity Reports and standardizes reporting formats across member states, while the Payment Services Regulation (PSR) imposes stricter, faster timelines for reporting fraud and unauthorized transactions. The result: compliance teams are expected to detect, document, and submit reports with far greater speed and precision than before.
Against this backdrop, AML investigations remain a critical component of financial crime prevention. Modern compliance teams are expected not only to identify potentially suspicious activity but also to thoroughly investigate, document findings, and determine whether reporting obligations have been triggered. Knowing how to conduct effective AML investigations is, therefore, mandatory for regulated businesses.
Let’s explore how AML investigations work, the scale of the problem we are facing, and what a compliant AML investigation looks like.
What AML investigations involve
Defining an AML investigation
Anti-money laundering investigations are structured reviews of customer activity, transactional behavior, and associated risk indicators used to determine whether financial crime may be occurring.
A typical AML investigation begins when an alert is triggered by transaction monitoring systems, sanctions screening matches, adverse media findings, Customer Due Diligence (CDD) concerns, or internal referrals.
Investigators gather relevant information, including customer profiles, transaction histories, source of funds documentation, beneficial ownership data, and external intelligence. They then analyze this information to determine whether there are money laundering activities and whether escalation is required.
Why AML investigations matter
AML investigations are critical for financial crime prevention. They help to prevent criminals from moving illicit funds through the financial system and ensure law enforcement agencies receive actionable intelligence.
Investigations also play an important role in regulatory compliance. Supervisory authorities increasingly assess not only whether organizations file reports but also whether investigations are conducted effectively and documented appropriately. Weak AML investigative processes can result in enforcement actions, fines, and remediation requirements.
For example, the UK’s Financial Conduct Authority (FCA) fined Barclays Bank PLC over £39.3 million (approximately $52.2 million) in 2025 for failing to adequately manage money-laundering risks. This included failing to act on law enforcement information regarding suspected money laundering involving one of the bank’s clients. This type of tip-off should have triggered an AML investigation, which could have helped Barclays avoid such a substantial fine.
In the US, financial services firm Canaccord Genuity LLC was fined $80 million by FinCEN for failing to implement and maintain an effective AML program as required under the Bank Secrecy Act (BSA). Among the issues uncovered was a failure to review its own trade surveillance reports for months or even years, resulting in missed opportunities to identify suspicious activity.
The global scale of money laundering
Around 2-5% of global GDP is laundered each year, according to one UN estimate. This would be a staggering $2-5.5 trillion based on recent global GDP figures—a huge threat to the global financial system.
Money laundering increasingly involves cross-border networks, with the proceeds of financial crime often moving through multiple countries before being integrated into the legitimate economy. The rise of digital financial services such as instant payments, online banking, and cryptocurrency transactions enables funds to move rapidly across jurisdictions, creating new challenges for investigators and regulators.
Suggested read: The Three Stages of Money Laundering
How money laundering hurts economies
Money laundering can undermine economic stability, distort markets, weaken institutions, and reduce public confidence in the financial system. For example, banks caught up in money-laundering cases tend to see large drops in equity prices and higher insurance costs, according to research by the International Monetary Fund (IMF).
Money laundering also hits ordinary people in their pockets. Government estimates cited in a Law Commission review suggest it costs every UK household £255 (approx. $335) a year, making this a problem for everyone, not just governments and regulated institutions.
The real cost of non-compliance
The consequences of AML non-compliance extend well beyond regulatory fines. Organizations that fail to maintain effective AML controls increase their exposure to financial crime and face significant legal, operational, financial, and reputational risks.
Regulatory investigations can require firms to implement extensive remediation programs, including overhauling AML policies, upgrading technology, strengthening transaction monitoring, and expanding compliance teams. In some cases, regulators may also impose independent compliance monitors, restrict business activities, or suspend or revoke licenses until deficiencies are addressed.
Non-compliance can also damage customer confidence and business relationships. Financial institutions, payment providers, and other counterparties may be reluctant to work with organizations with a history of AML failures, resulting in lost business opportunities, higher compliance costs, and reduced revenue.
Senior management may also face increased regulatory scrutiny, and in cases involving willful misconduct or facilitation of financial crime, individuals may be subject to civil or criminal enforcement.
Reading AML red flags
AML red flags are indicators that suggest a customer, transaction, or business relationship may be associated with money laundering. While a single red flag does not automatically indicate criminal activity, multiple indicators appearing together often warrant closer scrutiny.
Investigators must understand that red flags are contextual. A transaction that appears unusual for one customer may be entirely consistent with another customer's expected activities. Effective investigations, therefore, require an understanding of customer profiles, risk ratings, expected account behavior, and historical activity.
Suggested read: The 10 Most Common AML Red Flags
Red flag indicators explained: FATF and FIU practice
There is no single, universal list of AML red flags. Instead, financial institutions identify suspicious activity using a combination of FATF guidance, FIU publications, supervisory guidance, and jurisdiction-specific regulations. While the Financial Action Task Force (FATF) publishes risk indicators for specific sectors and money laundering and terrorist financing typologies, financial intelligence units (FIUs) regularly issue practical guidance based on suspicious activity reports (SARs), investigations, and emerging financial crime trends.
Although red flag indicators vary depending on the industry, customer profile, and nature of the business, common examples reflected across FATF publications and FIU guidance include:
- Customer-related indicators, such as clients who are highly secretive or evasive about their identity or business activities.
- Source of funds indicators, including the use of multiple bank accounts without a legitimate business justification.
- Corporate structuring indicators, such as complex ownership structures involving multiple offshore companies or trusts, sometimes established through legal professionals.
- Transaction-related indicators, including unusually large transfers, frequent movement of funds through unrelated accounts, or transactions that are inconsistent with the customer's known profile or expected activity.
- Geographic indicators, such as transactions involving jurisdictions subject to sanctions, countries with strategic AML/CFT deficiencies, or regions associated with elevated financial crime risks.
Crypto AML red flags: What investigators should look for
Virtual assets have transformed digital finance, but they have also introduced new challenges for AML compliance. Although most cryptocurrency activity is legitimate, criminals continue to exploit digital assets to launder illicit proceeds, evade sanctions, conduct ransomware attacks, and facilitate other forms of financial crime.
Illicit activity accounts for only a small share of overall cryptocurrency transactions, but its scale remains significant. According to the 2025 Chainalysis Crypto Crime Report, known illicit addresses received at least $40.9 billion in cryptocurrency in 2024—a conservative estimate that is expected to grow as additional illicit wallets are identified. As a result, robust AML controls remain essential for virtual asset service providers (VASPs) and other businesses operating in the crypto ecosystem.
Many traditional AML principles still apply to virtual asset investigations. However, investigators must also recognize blockchain-specific indicators that may warrant further review, including:
- Rapid movement of funds across multiple wallets with no clear economic purpose.
- Transactions involving mixers, tumblers, or other services designed to obscure transaction trails.
- Transfers to or from wallets associated with sanctioned entities or other known illicit activity.
- Frequent transactions with high-risk or non-compliant VASPs.
- Customer activity involving decentralized finance (DeFi) protocols or cross-chain bridges that is inconsistent with the customer's expected behavior or risk profile.
Sanctions and watchlist screening
Although sanctions compliance is a separate legal and regulatory obligation from AML, sanctions and watchlist screening are integral to many AML investigations. They help regulated businesses identify sanctioned and high-risk individuals, entities, jurisdictions, and beneficial owners, reducing the risk of facilitating prohibited transactions or other financial crime.
Screening programs typically compare customer information and transaction data against sanctions lists, Politically Exposed Person (PEP) databases, law enforcement watchlists, and adverse media sources. Potential matches are reviewed by investigators to determine whether they represent true matches or false positives.
Ongoing monitoring is necessary because sanctions lists change frequently, and customers who initially present a low risk may later become subject to sanctions or other restrictions.
Steps in the AML investigation workflow
A typical AML investigation process workflow involves the following steps:
- Alert generated: When customer activity meets the rules set for automated monitoring systems, an alert is triggered, indicating that an investigation is required.
- Initial alert review: Investigators manually review the alert to decide if it represents a genuine concern and whether further investigation is required. Some alerts can be ‘false positives’, meaning no further action is needed.
- Transaction analysis: The specific transactions associated with an alert must be analyzed for patterns, anomalies, inconsistencies with the customer’s background, and unusual behavior that may indicate illicit activity.
- Customer profile review: When an alert requires deeper investigation, Customer Due Diligence (CDD) should be carried out. Within the review, the compliance officer is requesting additional information or documentation from the customer.
- Additional information / EDD if required: Enhanced Due Diligence (EDD) may be needed in some cases, e.g., for high-risk customers such as Politically Exposed Persons.
- Case escalation: Where appropriate, a case can be escalated within a company, for example, to the Money Laundering Reporting Officer (MLRO).
- SAR decision: When investigators decide that a case meets their FIU’s reporting criteria, they must file a Suspicious Activity Report (SAR) with the appropriate authorities or another FIU report (depending on the jurisdiction).
- Additional actions: If money laundering or other suspicious activity is confirmed, other actions may be required, such as freezing customer accounts, cooperating with law enforcement, and taking any additional legally required compliance measures.
- Recordkeeping: The investigation process, its findings, and all actions taken must be properly documented for compliance and regulatory reporting purposes.
- Ongoing monitoring: Following an investigation, customers and transactions should be monitored to minimize the risk of future financial crime.
Analyzing suspicious activity
Effective analysis requires more than reviewing individual transactions. Investigators often examine transaction patterns over time, relationships between counterparties, geographic exposure, account usage, source of funds information, and customer risk profiles. Social network analysis may reveal connections between accounts that would otherwise remain undetected.
Context is critical. A large transfer may appear suspicious in isolation but be entirely reasonable for a corporate customer conducting international trade. Conversely, a series of smaller transactions may reveal structuring behavior designed to avoid reporting thresholds.
Filing Suspicious Activity Reports
When an investigation identifies activity that cannot reasonably be explained through legitimate business or personal circumstances, organizations may be required to submit a FIU report: a Suspicious Activity Report (SAR), a Suspicious Transaction Report (STR), or an equivalent filing. Regulators and financial intelligence units rely on these reports to identify criminal activity, support investigations, and develop broader intelligence assessments.
The effectiveness of a SAR depends heavily on the quality of information provided. A well-written report should explain what occurred, why the activity is suspicious, who was involved, when relevant events took place, and how investigators reached their conclusions.
Organizations should establish clear escalation and approval procedures to ensure reporting obligations are met consistently. Timeliness is also important, as delayed reporting may reduce the value of intelligence provided to authorities, and regulators typically set reporting deadlines that must be met.
In addition to filing requirements, organizations must maintain records supporting investigative decisions and reporting outcomes. Comprehensive documentation helps demonstrate compliance and facilitates future reviews.
Reporting to FinCEN with an SAR
In the United States, regulated entities submit Suspicious Activity Reports to FinCEN, the country's FIU. FinCEN has set out clear guidelines for submitting SARs, including which institutions are obliged to file them and setting a 30-day reporting deadline after initial detection.
Reporting to NCA
In the United Kingdom, Suspicious Activity Reports are submitted to the UK Financial Intelligence Unit (UKFIU), which operates within the National Crime Agency (NCA). The UKFIU updated its guidance on SARs in 2025 to include best practices for using its SAR Portal to submit reports, submitting SARs, and understanding Defence Against Money Laundering (DAML) and Defence Against Terrorist Financing (DATF) requests.
Reporting to FIUs globally
Financial intelligence units, or FIUs, operate in most jurisdictions and serve as central hubs for receiving, analyzing, and disseminating SARs and equivalent reports such as Suspicious Transaction Reports. Although reporting requirements vary between countries, the fundamental objective remains consistent: providing actionable financial intelligence to combat financial crime.
For multinational organizations, managing reporting obligations across different regulatory environments can be challenging. Compliance teams must understand local reporting thresholds, timelines, documentation requirements, and confidentiality obligations.
Strong governance frameworks help ensure consistency and accommodate jurisdiction-specific requirements. Case management software with automated report-generation capabilities can also help if it allows reporting rules to be easily adapted to different jurisdictions.
Case management in AML investigations
Effective case management is the foundation of a well-governed AML investigation program. Organizations must be able to conduct investigations consistently, properly document decisions, and easily retrieve supporting evidence during audits and regulatory investigations.
Case management systems provide a centralized environment for managing alerts, investigations, escalations, and reporting obligations. They enable clear ownership of cases and specific tasks, defined escalation paths, evidence collection procedures, and audit trails.
Comprehensive documentation remains particularly important. Regulatory authorities frequently review case files to assess whether organizations appropriately identified, investigated, and escalated suspicious activity. Well-maintained records help demonstrate that decisions were risk-based, evidence-driven, and aligned with internal policies.
AML compliance programs
AML investigations do not operate in isolation. They form part of a broader AML compliance framework designed to identify, assess, monitor, and mitigate financial crime risks across an organization.
An AML compliance program encompasses the policies, procedures, and controls an organization implements to prevent money laundering and terrorist financing. It typically includes employee training, CDD, ongoing monitoring, recordkeeping, the detection and investigation of suspicious activity, and suspicious activity reporting. Learn more in our guide:
Suggested read: AML Compliance Program: The Essential Guide
Challenges in AML investigations
AML investigations are getting harder, not easier. Transaction volumes keep climbing, regulators keep raising the bar, criminals keep refining their methods, and most teams are doing the work without the headcount they'd want. Here are some ongoing challenges compliance teams face:
Effectiveness versus efficiency. Every investigation has to be thorough, but monitoring systems throw off far more alerts than any team can chase by hand, and most of them lead nowhere. High false-positive rates burn analyst hours and slow down the cases that actually matter. This is where automation earns its place: it clears the routine noise so investigators can spend their time on the alerts that warrant it.
Data fragmentation. The information needed to close a case is rarely in one place. Investigators often have to pull together transaction records, customer files, sanctions hits, adverse media, and external intelligence from separate systems, departments, and jurisdictions before they can reach a conclusion.
Regulatory complexity. A business operating across borders has to satisfy different rules in each market while keeping its investigative standards consistent. Sanctions lists shift, reporting obligations change, and AML rules get revised—so the process has to keep adapting. AML software that can be configured per jurisdiction takes some of that weight off.
Evolving criminal methodologies. New payment rails, digital assets, and laundering techniques mean investigators can't lean on last year's playbook. AI-assisted tools help teams keep pace with both the methods and the volume.
Complex financial transactions
Complex financial transactions often represent some of the most challenging cases investigators encounter. Criminals frequently use layered transaction structures, multiple intermediaries, shell companies, and cross-border transfers to obscure the origin and destination of funds.
Investigating complex transactions relies on methods including advanced analytics, network analysis, and integrated data sources to uncover hidden relationships and transaction patterns. Data must be collected and forensically analyzed, and the movement of funds traced to determine the original source. AML teams can then determine whether the funds have a legitimate source or are likely to be proceeds of crime.
Anti-money laundering (AML) is constantly evolving, creating new compliance challenges for businesses worldwide. Sumsub Academy's free, expert-led AML Fundamentals course equips you with the knowledge and practical skills to navigate today's AML landscape with confidence.
Across six modules, you'll learn how to identify money laundering and terrorist financing risks, build effective AML programs, conduct investigations, and meet reporting obligations. Complete the course to earn your AML Certification and strengthen both your expertise and your organization's compliance capabilities.
Sumsub Academy: AML Fundamentals Course
Meeting international AML standards
International organizations, such as global financial institutions, must navigate a complex landscape of national regulations while maintaining compliance with international AML standards. Jurisdictions do implement AML requirements differently, but the FATF Recommendations continue to serve as the primary global benchmark.
Meeting international standards requires more than implementing minimum regulatory requirements. Organizations should adopt a risk-based approach that aligns policies, controls, and investigative procedures across jurisdictions while accounting for local differences.
Organizations that align their compliance programs with international best practices are often better positioned to adapt to regulatory changes and maintain consistent standards across global operations.
Making AML investigations more efficient
The growing volume of alerts and increasing complexity of financial crime have made efficiency a strategic priority for compliance teams. Organizations must investigate potential risks thoroughly while managing resources effectively and maintaining regulatory standards.
Efficiency begins with a risk-based approach. High-risk alerts should receive immediate attention, while lower-risk cases may require simplified review procedures. This approach helps organizations focus resources where they can have the greatest impact.
Automation can also improve efficiency by reducing manual tasks. Automated data collection, screening updates, workflow routing, and alert prioritization help investigators spend more time analyzing risk and less time performing administrative activities.
Data quality is another important factor. Incomplete or inconsistent customer information often increases investigative workloads and slows decision-making. Strong onboarding controls and ongoing data maintenance can significantly improve investigation outcomes.
Ultimately, efficient investigations are not simply faster investigations. The objective is to improve effectiveness, consistency, and decision quality while reducing unnecessary manual workloads.
Using AML compliance platforms
Integrated AML compliance platforms bring customer data, monitoring results, screening outcomes, and investigative workflows into a single environment.
That consolidation cuts across operational silos: investigators can pull customer profiles, transaction histories, sanctions screening results, and case records without switching between systems, and information moves more freely across teams as a result.
Advanced AML platforms increasingly build in analytics, machine learning, and automation to help identify unusual behavior, prioritize alerts, and surface hidden relationships. Human judgment still matters, but technology now does much of the heavy lifting in terms of scalability and consistency.
Ongoing monitoring and updates
AML compliance is not a one-time activity. Customer risk profiles, transaction behavior, sanctions lists, and financial crime threats continue to evolve, requiring organizations to maintain ongoing monitoring programs.
Continuous monitoring enables organizations to identify changes that may warrant additional investigation. Examples include sudden increases in transaction volume, changes in ownership structures, new adverse media findings, sanctions list updates, or unexpected geographic exposure.
Regular reviews of transaction monitoring rules, alert thresholds, and investigative procedures are equally important. As criminal methodologies evolve, organizations must ensure that their controls remain effective and aligned with current threats.
AML training and team readiness
Technology can't replace skilled investigators. Effective AML training programs depend on staff who understand regulatory requirements, investigative methodology, emerging threats, and internal procedures.
Training should run continuously, not just at annual refreshers. Investigators need regular updates on regulatory developments, new typologies, sanctions changes, crypto-related risks, and lessons from recent enforcement actions.
Scenario-based training is particularly effective: it forces investigators to apply theory under conditions that resemble real casework. Cross-functional exercises that pull in compliance, legal, operations, and risk teams test whether that knowledge holds up when a case crosses departmental lines.
AML investigations FAQ
-
What is an AML investigation?
An AML investigation is a structured process used to review suspicious activity and determine whether financial crime risks may be present. Investigators assess available information to determine whether activity appears consistent with a customer's expected profile and whether regulatory reporting obligations may have been triggered.
-
What is a Suspicious Activity Report?
A Suspicious Activity Report (SAR) is a formal disclosure submitted to a financial intelligence unit or competent authority (such as FinCEN in the US) when an organization identifies activity that may be linked to money laundering, terrorist financing, fraud, sanctions evasion, or other criminal conduct. Although terminology varies between jurisdictions, the term SAR is widely used.
-
What is a SAR?
SAR stands for Suspicious Activity Report—a formal report submitted to a financial intelligence unit (FIU) or other competent authority when an organization detects activity that may be linked to money laundering, terrorist financing, fraud, sanctions evasion, or other criminal activity.
-
What is AML compliance?
AML compliance refers to the policies, procedures, controls, technologies, and governance frameworks organizations use to prevent, detect, and report money laundering and related financial crimes. AML compliance processes typically include customer due diligence, beneficial ownership verification, transaction monitoring, sanctions screening, risk assessments, suspicious activity reporting, independent testing, and employee training.
-
What is money laundering?
Money laundering is the process of disguising the criminal origin of funds so that they appear to come from legitimate sources. The objective is to enable criminals to use illicit proceeds without attracting attention from law enforcement agencies, regulators, or financial institutions.
Relevant articles
- Article
- 2 weeks ago
- 10 min read

- Article
- 1 week ago
- 11 min read
KYC helps gambling operators prevent fraud, comply with AML regulations, and avoid hefty fines. Explore casino KYC requirements, verification process…

What is Sumsub anyway?
Not everyone loves compliance—but we do. Sumsub helps businesses verify users, prevent fraud, and meet regulatory requirements anywhere in the world, without compromises. From neobanks to mobility apps, we make sure honest users get in, and bad actors stay out.


