Anti-Money Laundering Trends and Challenges

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

In summary

Despite a global decrease in 2021 in AML enforcement actions and penalties, they more than tripled in the Europe, the Middle East and Africa (EMEA) region from the year before. A few EMEA countries maintained momentum in regulatory activity, and the extraterritorial reach of the United States continued. Financial institutions and companies must respond to the continued strengthening of AML enforcement in the region, considering the related challenge of the extensive global sanctions imposed on Russia following the commencement of the war in Ukraine and the resulting movement of capital from Russia into EMEA and beyond.

Discussion points

  • Changing legislative environment in key jurisdictions
  • Recent AML typology trends
  • Push towards AML effectiveness and what it means for regulators and financial institutions
  • Key elements that should be present in a robust AML programme

Referenced in this article

  • EU anti-money laundering directives
  • UK Economic Crime Plan
  • Recent US AML rules
  • FATF mutual evaluation report on the UAE
  • Virtual currencies, digital identity and AML typologies
  • Public–private and private–private information-sharing partnerships
  • FFIEC’s key elements to an AML programme


Enforcement actions and penalties for non-compliance with anti-money laundering (AML) regulations decreased sharply in 2021, reversing the upward trend of the past few years. This is most likely a temporary reprieve arising from regulators’ efforts being hampered by the pandemic.

Global penalties totalled US$5.35 billion in 2021, compared with US$10.6 billion in 2020.[1] Despite this global decrease, Europe, the Middle East and Africa (EMEA) moved in the opposite direction, with a large increase in financial penalties at US$3.4 billion across the region – up from US$1 billion in 2020.

The increase can be traced to a few EMEA countries maintaining momentum in their regulatory activity in 2021, notwithstanding the disruption of the pandemic, as well as the continuing extraterritorial reach of the United States. French regulators issued the highest value enforcement action in the region against UBS for US$2 billion, followed by the United Kingdom (US$688 million), the Netherlands (US$577 million) and Bahrain (US$50.5 million). In addition, US regulators levied a penalty against UAE-based Mashreq for US$100 million.

Financial institutions and companies across EMEA need to plan their responses to the continued strengthening of AML enforcement, considering the related challenge of the unprecedented and extensive global sanctions imposed on Russia following the outbreak of the war in Ukraine and the resulting movement of capital out of Russia into Europe, Dubai and the rest of the world.

This article describes the changing legislative environment and recent typological trends. In addition, we highlight the push towards AML effectiveness and what that means for regulators and financial institutions. Finally, we outline the key elements that should be present in a robust AML programme.

Regulatory changes

European Union

There have been significant advances in money laundering legislation within the European Union, albeit with varying levels of implementation. A series of Anti-Money Laundering Directives (AMLDs) were passed between 1991 and 2021, the most recent of which include the Fifth AMLD (5AMLD) and the proposed Sixth AMLD (6AMLD).

Some of the more prominent additions within 5AMLD included:

  • extending AML rules to additional providers, such as virtual currency exchange service providers and dealers in high-value goods;
  • reducing anonymous prepaid card limits to €150;
  • banning cards issued outside the European Union unless comparable AML regimes are in place in the jurisdiction of issue;
  • making ultimate beneficial owner (UBO) lists public within 18 months;
  • mandating functional public politically exposed persons (PEP) lists; and
  • mandating enhanced due diligence measures to monitor transactions with high-risk countries.

There have been two layers of inconsistency in AML efforts within the European Union. First, AMLDs must be transposed into national law; however, the timeliness of that transposition has been patchy. For example, in February 2020, the European Commission sent letters of formal notice to eight EU countries for not having notified any implementation measures for the 5AMLD, which was updated more than two years prior and had a January 2020 deadline.[2] Even more concerning, in 2021, the European Commission sent letters of notice to Germany, Portugal and Romania for incorrectly transposing the Fourth AMLD (4AMLD), which had a transposition deadline of June 2017.[3]

Second, there have been a series of AML rule breaches in European banks that have raised doubts about the effectiveness of some of the member state supervisors. In some recent AML scandals, country supervisors only took action after the US Financial Crimes Enforcement Network (FinCEN) took special measures[4] or investigative journalists uncovered wrongdoing.[5]

The European Banking Authority (EBA) published a report which evaluated the effectiveness of member state AML supervision where they identified several areas of supervisory weakness, including not assessing control effectiveness versus confirming a prescriptive set of requirements, not taking proportionate and sufficient dissuasive measures, and not working effectively with domestic and international stakeholders.[6]

In July 2021, the European Commission made four AML proposals that promised to address some of the inconsistencies in AML regulations across the European Union.[7] The first proposal was to implement the new EU AML Authority.[8]

The second proposal was a new regulation for AML and combatting the financing of terrorism, transferring some rules related to customer due diligence and beneficial ownership from a directive, which requires transposition into national law, into a regulation, which is a binding legislative act. [9] This proposal also includes establishing an EU-wide limit of €10,000 for large cash payments and expands obliged entities to include cryptoasset service providers, crowdfunding platforms and migration operators.

The third proposal was the 6AMLD, which replaces the previous directive and includes provisions related to national supervisors and financial intelligence units (FIUs).[10] The previous legislation,[11] which harmonised 22 predicate offences across the European Union and extended criminal liability to legal persons, is now viewed as a legislative update in between the 5AMLD and the newly proposed 6AMLD.

The fourth proposal was related to expanding the traceability of cryptoasset transfers via the travel rule.[12]

United Kingdom

The United Kingdom is no longer required to implement EU AMLDs; however, it is likely that it will continue to match, or exceed, the AML rules set by the European Union.

The primary AML legislation in the United Kingdom is set out in the Proceeds of Crime Act 2002; the Terrorist Act 2000; the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017; and the Money Laundering Regulations 2019. A review of AML legislation is currently being carried out as part of the Economic Crime Plan 2019 to 2022, with proposals related to information sharing, the suspicious transaction reports (STRs) regime and AML effectiveness.[13]

A new Economic Crime Bill, thought to have been shelved in January 2022, was quickly drafted and enacted into law on 15 March 2022, following the commencement of the war in Ukraine.[14] Among other changes, the Economic Crime (Transparency and Enforcement) Act 2022 proposes a register for overseas ownership of UK property, making it easier for law enforcement to identify assets held by, for example, sanctioned Russian oligarchs. Under the current system, complex ownership structures, including opaque offshore entities, can be used to obscure true beneficial ownership.

The United Kingdom continues to be active in AML enforcement. The first criminal prosecution of a bank, NatWest, for money laundering concluded in late 2021 with a guilty plea and a penalty of £264 million.[15] The Financial Conduct Authority also levied a penalty of £64 million against HSBC for failings in its AML transaction monitoring systems.[16]

In February 2022, HM Revenue and Customs was the first UK law enforcement agency to seize three non-fungible tokens (NFTs) as part of an investigation into a suspected tax fraud.[17] The three digital artwork NFTs were seized along with other cryptoassets worth approximately £5,000.

United States

The primary legislation in the United States governing AML has grown over time from the Bank Secrecy Act of 1970 (BSA) to the Money Laundering Control Act of 1986, sections within the Patriot Act of 2001 and, most recently, the Anti-Money Laundering Act of 2020 (AMLA). There have also been smaller updates, such as the inclusion of virtual currency providers in 2013 and the Customer Due Diligence Rule requiring verification of customers in 2016.

At the end of 2020, the United States passed a series of acts with significant improvements to the AML rules. Some of those new rules, such as a national beneficial owner registry and whistle-blower protections, bring the United States in line with existing EU rules.

In contrast, there are some rules that exceed those in the European Union and that may affect EU entities. The increased penalties enacted under AMLA are one example. They include prohibitions on knowingly concealing or misrepresenting a material fact from or to a financial institution concerning ownership or control of assets for PEPs or misrepresenting a material fact concerning the source of funds in a transaction that involves an entity that is a primary money laundering concern. [18] The penalties for violating these rules are up to 10 years’ imprisonment or a US$1 million fine, or both.

Another example is the increased authority to subpoena documents from non-US financial institutions. Previously, these subpoenas could be issued to any non-US bank that maintained a correspondent account in the United States for records related to the specific correspondent account. The new statute expands this authority to allow the US Department of Justice (DOJ) to seek ‘any records relating to the correspondent account or any account at the foreign bank, including records maintained outside of the United States’ if the records are the subject of an investigation that relates to a violation of the BSA, a violation of US criminal laws, a civil forfeiture action or a primary money laundering concern investigation (as applied to ABLV Bank in Latvia in 2018).

Essentially, the subpoena powers have expanded from the specific correspondent account to any account at the non-US bank if they fall within one of those investigative categories. If the non-US financial institution fails to comply, the Act authorises the US Treasury to direct the related US financial institution to terminate the correspondent banking relationship, and it can also impose penalties.[19]

United Arab Emirates

The United Arab Emirates (UAE) has taken a number of steps in recent years to improve the AML and counter-terrorist financing (AML/CTF) landscape. Money Laundering was first criminalised in Federal Law No.4 of 2002, now replaced by Federal Law No. 20 of 2018, which provides the fundamental legislative framework that criminalises money laundering and terror financing. In addition, there is a national AML/CTF strategy and action plan that aims to ensure the effective implementation, supervision and continuous improvement of a national framework for the combatting of money laundering and terrorist financing.

Following a mutual evaluation report in 2020, the Financial Action Task Force (FATF) said that ‘fundamental and major improvements’ were still required by the UAE to avoid being placed on the FATF grey list.[20] The country is a major regional and international finance centre, has a significant gold market, extensive foreign property ownership and a sizeable cash-based economy, all of which place the country at high risk for money laundering and terror financing.

In March 2022, the FATF added the UAE to its grey list, which identifies jurisdictions deemed deficient but working with the FATF to improve.[21] The FATF said the UAE has committed to combatting sanctions evasion, increasing resources to use financial intelligence to combat money laundering and demonstrating a sustained increase in investigations and prosecutions of those activities. It further stated that the UAE has ‘made a high-level political commitment’ to strengthen the effectiveness of its regime, and over the past two years ‘has made significant progress . . . to improve its system.’[22]

Virtual currencies

In October 2018, the FATF modified its recommendations to clarify that they apply to virtual assets and that virtual asset service providers should be regulated, licensed or registered, and subject to effective systems for monitoring or supervision. In June 2019, the FATF issued guidance with specific points for regulating digital assets and associated exchanges.[23]

The 5AMLD already requires virtual asset firms and exchanges to apply AML measures, including enhanced know-your-customer (KYC) programmes and reporting obligations. In November 2021, the European Council adopted the Regulation on Markets in Crypto Assets (MiCA), which aims to create a single licensing regime across all EU member states and streamline virtual asset regulation in the European Union for currently out-of-scope crypto-asset types, such as stablecoins and crypto-asset service providers (a term that encompasses more service types). In practice, once a crypto firm is licensed in one EU member state, it can set itself up in other member states without obtaining an additional licence or approval from the local country.

The European Council and the European Parliament are now entering negotiations on the proposal. Most observers expect that the proposal will likely be passed in 2022 and take effect in 2024. Companies in the crypto space welcome the opportunity to operate in all EU countries with less red tape but have also noted that the legislation does not address decentralised finance, which is becoming an increasingly large and important part of the crypto space.

US regulators have been active in enforcement actions against crypto companies. Between 2009 and mid-2021, US regulators imposed US$2.5 billion in penalties relating to crypto assets. The largest portion was from the US Securities and Exchange Commission, but FinCEN levied US$183 million in that time frame.[24]

A few recent examples from FinCEN include a US$100-million civil penalty against BitMEX, a virtual currency derivatives exchange, in November 2021 for failing to implement an AML compliance programme and report certain suspicious activity.[25] Another example is the US$60-million penalty against the operator of virtual currency exchangers Helix and Coin Ninja in October 2020 for failing to register as a money service business, maintain an AML programme and report certain suspicious activity, particularly dark net market transactions.[26]

While the estimate of global money laundering of fiat currency is between US$800 billion and US$2 trillion every year, in comparison it is estimated that money laundering via cryptocurrency is approximately US$33 billion for the entire five-year period between 2017 and 2021.[27] As the use of cryptocurrencies increases, it is important to understand how to combat money laundering for this type of asset but also be aware that it is currently still a relatively small portion of the total value of money laundering that occurs each year.

In addition, owing to the transparent nature of transactions recorded on the blockchain, the prospects for asset forfeiture appear more promising for cryptocurrencies. For example, IRS Criminal Investigation announced that it seized over US$3.5-billion worth of cryptocurrency in 2021, and the DOJ seized US$56 million in a scam investigation plus US$2.3 million from the ransomware group behind the Colonial Pipeline attack.[28]

AML challenges

Identifying UBOs

A critical component in combatting money laundering, and a regulatory expectation, is understanding who the customer is, who the UBOs are and the nature of their business. Determining the UBOs can be notoriously difficult when customers provide false information or use corporate vehicles in secrecy havens. It is timely and costly for compliance personnel to attempt to verify customer-provided UBO information.

Until 2020, most countries did not publish free, public ownership registers, so the information provided to financial institutions was more difficult to verify. Even when these lists are made available, such as with the UK Companies House, the information provided is not consistently verified.[29], [30]

The 5AMLD mandates publicly accessible UBO registers; however, many EU member states have either not established the registers or not made them publicly available.[31],[32] In February 2021, Transparency International led a group of 700 signatories calling on the UN General Assembly to set standards for transparency of beneficial ownership; more specifically, it asked all countries to establish public registers of companies with the names of UBOs.[33]

Leveraging technology

There is a regulatory expectation that institutions monitor customer activity to identify suspicious patterns or behaviour. This can only be achieved when an institution effectively aggregates its data across systems, divisions and geographic locations; however, transactional data is often held in different repositories (eg, card services and deposit operations) and in numerous legacy systems owing to previous acquisitions. If the disparate data could be analysed as a group, it would likely improve the ability to identify potentially unusual transactional activity.

AML detection is often automated, but generally not predictive. If a machine learning (ML) solution was used to analyse the totality of customer and transactional data, entities could begin to identify unusual patterns that are worth investigating before they become known red flags.

Regulators have been encouraging innovative approaches, such as artificial intelligence (AI) and ML to more effectively identify suspicious activity. A joint statement issued by various US regulators in December 2018 encouraged the use of internal financial intelligence units devoted to identifying complex illicit finance threats and experiementing with AI and digital identity technologies.[34]

Utilising digital identity

Two key drivers in digital identity are becoming more prominent: the first is that of the estimated 2 billion unbanked adults worldwide, 360 million are unable to access the formal financial sector owing to insufficient identity documentation.[35] The second is that non-cash transactions are increasing,[36] and this trend is expected to continue.[37]

Digital identity has the potential to provide a high level of assurance regarding identification while protecting privacy. Digital identity can be through a government, such as eID in Estonia and Lithuania, or a financial institution, such as BankID in Sweden and Norway.[38]

Verification systems for digital identification present several risks, as noted in FATF’s Digital Identity guide.[39] Among the risks are identity theft, forged or tampered source documents, misuse of data owing to unauthorised access and the potential for data theft when communicating via the Internet. It is estimated that synthetic identity fraud, where criminals use fake identification to secure credit, is the fastest-growing type of financial crime in the United States and costs lenders worldwide an estimated US$6 billion.[40]

Regulators have implemented rules for reliance on digital identity verification. The 5AMLD states that an obliged entity must identify the customer, which can be based on traditional documentary evidence or information obtained from a reliable and independent source, including electronic identification means.[41] Those electronic identification methods must comply with Regulation (EU) No. 910/2014, which sets out criteria for identity verification services.

The United Kingdom’s Joint Money Laundering Steering Group indicates that digital identification may provide satisfactory evidence of identity on its own, but it must use data from multiple sources across time, incorporate qualitative checks that assess the strength of the information supplied or be performed through an organisation that meets the relevant EU criteria.[42]

Recent typology trends

As AML legislation has become more stringent and financial institutions have correspondingly strengthened their processes, criminals’ preferred methods have shifted. While there are numerous money laundering typologies, this section focuses on four that have received more attention from regulators and appear to be increasing in prominence.

Trade-based money laundering

Trade-based money laundering (TBML) is the process of disguising proceeds of crime and moving value through the use of trade transactions in an attempt to legitimise illicit origins.[43] Of the three broad methods of money laundering (using financial institutions, physically smuggling cash and using the international trade system), the FATF has found that the abuse of the international trade system has historically received relatively little attention.[44] TBML is notoriously difficult to detect because it is integrated into the economy through a trade transaction.

To counter the risk of enabling TBML, companies should assess their risk and consider the relevant red flags. Financial institutions should factor TBML in their risk assessment and implement sufficient controls for reviewing trade documentation supporting letters of credit and how they monitor the payment messages for open trade transactions.[45]

In December 2020, the FATF issued updated guidance regarding TBML,[46] noting that the exploitation of TBML techniques is particularly effective when there is a complicit relationship between the importer and exporter, who are actively misrepresenting the trade or invoice process. It further points out that authorities can have a greater impact if they disrupt these complicit actors through criminal prosecution or removing their authority to trade.


The use of ransomware is increasing in popularity and can be a method to launder money. According to a recent CyberEdge Group survey, 62 per cent of organisations were victimised by ransomware in 2020, up from 56 per cent in 2018 and 55 per cent in 2017. It points out the increase may be fuelled by the dramatic increase in ransomware payments – 58 per cent paid the ransom in 2020, compared with 45 per cent in 2018 and 39 per cent in 2017.[47]

One of the 22 AML predicate offences that was harmonised across the EU within Directive (EU) 2018/1673 is cybercrime, which includes ransomware. In October 2020, the European Union Agency for Cybersecurity issued a threat landscape guidance document regarding ransomware.[48] The document indicated that €10.1 billion was paid in ransom during 2019, more than €3.3 billion more than in 2018, and that 45 per cent of attacked organisations paid the ransom.

In November 2021, FinCEN issued an advisory for financial institutions regarding the increase in ransomware and the associated financial red flag indicators.[49] The advisory points out that ransom is most often paid via virtual currencies. The victim pays the perpetrator via their bank account to a virtual currency exchange. The perpetrator then transfers the virtual currency, typically bitcoin, through several transfers using mixers and tumblers[50] to obscure the money trail or through trasnfer of the virtual currency to an exchange in a jurisdiction with weak AML controls.

Human trafficking and modern slavery

Human trafficking is one of the most profitable criminal enterprises, generating an estimated US$150 billion per annum.[51] Human trafficking from Africa and Asia into Europe is relatively well known, particularly where refugees from war-ravaged countries, including Syria, Iraq and Afghanistan are exploited by traffickers for large sums and subjected to dangerous conditions. Modern slavery, or forced labour, still occurs today, even in Europe, and is becoming more prominent.

FinCEN recently issued an updated advisory regarding human trafficking.[52] It points out that effects of the covid-19 pandemic (eg, travel limitations, shelter-in-place orders and teleworking) may exacerbate the conditions that contribute to human trafficking and affect the existing red flag indicators.

Since the previous advisory in 2014, it identified an additional 10 financial and behavioural indicators of labour and sex trafficking, bringing the total to 20. It notes that human traffickers and facilitators have used front companies, exploitative employment practices, funnel accounts and alternative payment methods to facilitate money laundering. Some of the newly added red flags include frequent transactions with online classified sites based in foreign jurisdictions and the frequent sending or receipt of funds via cryptocurrency to or from darknet markets associated with illicit activity.

Human trafficking and modern slavery fall under environmental, social and governance (ESG) considerations, criteria to which stakeholders, including investors, business partners, employees and consumers, are increasingly looking to assess the holistic performance of a company. Regulators are applying a corresponding increase in scrutiny of these areas, and it is likely that enforcement will also increase.

Illegal wildlife trade

Illegal wildlife trade is a major transnational organised crime, generating criminal proceeds estimated at between US$7 and US$23 billion each year.[53] Wildlife crime has been linked to drug, human and arms trafficking. Similar to human trafficking and modern slavery, the illegal wildlife trade is an important component of ESG considerations and is again likely to see increased attention from both stakeholders and regulators.

A FATF report from June 2020 noted that countries rarely investigate this crime and that neither governments nor the private sector have prioritised efforts to combat this risk.[54] The report states that criminals misuse the legitimate wildlife trade and other import/export businesses as a front to hide illegal proceeds from wildlife crimes. They also note an increase in the role of online marketplaces and mobile and social media-based payments to facilitate movement of proceeds from wildlife crimes.

In the EU, environmental crime, including the illegal wildlife trade, is captured by Directive 2018/1673 as a predicate offence to money laundering. This means that obliged entities should consider illegal wildlife trade in their risk assessment.

The push towards AML effectiveness

There has been a growing drumbeat over the past couple of years for evaluating whether global AML efforts have led to an appreciable reduction in predicate crimes and increased asset forfeiture or merely an increase in the cost of compliance. There has been renewed focus on specific actions that may lead to greater AML effectiveness, such as including risk-based procedures by both regulators and obliged entities, the ability to link an obliged entity’s risk assessment to national AML priorities, continuing to increase information sharing and leveraging technology.

FATF strategic review

This conversation regarding effectiveness versus mere implementation of rules picked up steam when the FATF announced in late 2019 that it was planning a strategic review of its evaluation process. At the time, the executive secretary of the FATF stated that its evaluation of effectiveness focused more on process than outcome.

The executive secretary further stated that the evaluation process is very effective in motivating countries to take action, but the motivation is generally to avoid a bad report rather than reducing harm to society or protecting the integrity of the financial system. He said that the fourth round of FATF evaluations – the first to focus on effectiveness – showed that countries were taking a tick-box approach to regulatory compliance and focusing on processes rather than outcomes.[55]

In the June 2020 FATF Plenary, delegates agreed that the aim of future evaluations would be to make them more timely, have a greater emphasis on effectiveness and strengthen the risk-based elements of the assessment process.[56]

What regulators can do differently

Transitioning from rule-based supervision to risk-based supervision takes time and can be challenging, as the FATF February 2021 Plenary summary stated. It requires a change in supervisory culture where supervisors have an in-depth understanding of the risks that their regulated entities face.[57] The FATF consequently issued risk-based supervisory guidance in March 2021, which focuses on supervisors’ understanding of risk and applying their strategy based on those risks.[58]

There are two key ways in which regulators can take action to support greater effectiveness in countering money laundering. The first is to help financial institutions and other obliged entities by providing guidance on linking the national risk assessment to the entity’s risk assessment.

Detailed risk guidance, along with the entity’s knowledge of its business, is useful to financial institutions and other obliged entities in helping to determine where their risk of money laundering is greatest and how they might mitigate those risks. The 4AMLD mandated that the European Commission conduct an assessment of money laundering and terrorist financing risks affecting the internal market and update it at least every two years.

The most recent EU-wide risk assessment focuses on vulnerabilities at the EU level, both in terms of legal framework and effective application, and provides recommendations for addressing the identified risks.[59] The description of money laundering risks within the European Union is relatively detailed. For example, within the gambling sector, it points out that land-based betting is high risk owing to typically ineffective controls, whereas online gambling is high risk owing to very large numbers of transactions and the lack of face-to-face interaction.

The 5AMLD mandated that member states make the results of their risk assessments available to the European Commission and the other member states, and make a summary version, without classified information, publicly available.

Another way in which regulators can support effectiveness in AML efforts is providing specific feedback regarding STRs. The headlines surrounding the ‘FinCEN Files’ garnered a great deal of attention regarding the volume of STRs that did not appear to result in any action taken.

In fairness, it is unclear how individual STRs are collated with other information and considered by the respective FIU; however, most observers see an excessive amount of low-quality STRs being filed from a defensive position. The penalty for not filing an STR may be great, but there is no penalty for submitting an STR that may not prove warranted or has little probative value.

What financial institutions can do differently

Some areas of improvement that would make financial institutions more effective in combatting money laundering are not within their control, particularly the creation of complete and accurate UBO registers; however, there are two areas where financial institutions can take action: creating and maintaining risk assessments with proper governance and oversight, and sharing information.

The EBA recently issued revised guidance regarding risk factors for money laundering and terrorist financing.[60] The guidelines note that risk assessments should be performed at least annually or more frequently when necessary, and that they should always consider specific sources of information, including the European Commission’s supranational risk assessment referenced above.

Examples of public–private partnerships

United Kingdom

The Joint Money Laundering Intelligence Taskforce (JMLIT) is a partnership between law enforcement and financial institutions. They exchange information related to financial crime, including money laundering.

Since its inception in 2015, JMLIT has supported numerous law enforcement investigations, while the participating financial institutions have identified over 5,000 accounts suspected of money laundering, began 3,500 of their own internal investigations and used the information obtained to enhance their systems of controls and monitoring.

In addition to suspicious accounts, they can also share information related to emerging typologies that may allow financial institutions to identify potentially suspicious behaviour at an earlier stage.


At the encouragement of the Dutch regulator, in 2019 four Dutch banks (ABN AMRO, ING, Rabobank and Volksbank) signed a covenant with the National Police and the FIU to help identify people who facilitate crime. The authorities believe a small group of enablers, financial advisers, tax advisers, notaries, accountants and lawyers play a key role in laundering drug money in the Netherlands. The law enforcement agencies will provide information to the banks, which will compare it with their KYC and transaction data.

Examples of private–private partnerships

Estonian banks

In the wake of the money laundering scandals that recently occurred in Tallinn, Swedbank, SEB, Luminor, LHV, Bigbank, Citadele, OP Bank, Coop, TBB and Inbank all partnered with the Estonian tech company Salv to create an information and data exchange platform. The platform, known as AML Bridge, has thus far prevented up to €3million from reaching criminal-controlled accounts after more than 1,200 ‘collaborative investigations have been undertaken legally, securely, and efficiently across three different use cases – AML, fraud, and sanctions’. [1]

Dutch banks

The three largest banks in the Netherlands (ABN AMRO, ING and Rabobank) began a pilot programme to share KYC information, such as data on beneficial owners and organisational charts, where those clients have consented. They are trying to determine whether this information sharing can reduce costs and give compliance departments access to better, more timely KYC data.

Nordic banks

The five largest lenders in the Nordics (Danske Bank, DNB, Handelsbanken, Nordea and SEB) disclosed plans to share KYC data on large and medium-sized corporates with the goal of streamlining due diligence, similar to the initiative by the Dutch major banks.


The Transaction Monitoring Netherlands (TMNL) partnership between five Dutch (ABN AMRO, ING, Rabobank, Triodos Bank and Volksbank) is operational and will begin joint monitoring of business payment transactions.[2]


[1] Karl Flinders, ‘Estonian anti-money laundering software pilot reaps benefits’, Computer Weekly (16 March 2022).

[2] Transaction Monitoring Netherlands website (

There has been guidance encouraging the sharing of information related to money laundering for quite some time to address this issue. The FATF has made several recommendations, as have some national regulators. There is now an increasing trend of public–private partnerships and, in some cases, financial institutions sharing information directly with each other.

Legislation protecting the privacy of personal data poses challenges to information sharing; however, some regulators are providing assurances regarding information sharing in the AML context.

In December 2020, FinCEN published updated guidance,[61] which gave great latitude in financial institutions’ ability to share relevant information with each other. The guidance specified that the financial institution does not need to have specific information regarding proceeds of a crime or have made a conclusive determination that the related activity is suspicious. It also stated that information on attempted transactions and information that includes personally identifiable information can be shared, and financial institutions are not restricted in their methods of sharing information, including verbally.

Key elements in an AML programme

A study from 2005 showed that in addition to the penalty a financial institution incurs for an AML failure, it also loses share value and business opportunities owing to reputational damage. Furthermore, remediation costs over the first 18 months are typically 12 times greater than the fine itself.[62]

Proactively addressing weaknesses in an AML compliance programme is a smart long-term proposition. The US Federal Financial Institutions Examination Council (FFIEC) publishes a comprehensive inspection manual that outlines the key elements of a BSA/AML programme.[63] The following table identifies key elements from the FFIEC manual and our suggested questions to guide your organisation’s planning.

US FFIEC’s key elements to a BSA/AML programmeKey questions for your organisation to consider
Risk assessment
The risk assessment should identify the specific risk categories applicable to the institution (eg, products, services, customers and geographies) and contain a more detailed description of the specific risks within those categories that are applicable to the institution.
  • Is there a documented risk assessment?
  • Does the risk assessment include all relevant risks?
  • Does the risk assessment consider relevant national or supranational risk assessments?
  • Is there proper governance and oversight of the risk assessment process?
  • How often and under which circumstances is the risk assessment updated?
  • Has the risk assessment considered changes owing to global events (eg, pandemics and wars), specifically differences in staffing and STR?
AML compliance programme
The AML compliance programme should be documented and approved by the board of directors.
  • Is the AML programme properly documented with sufficiently detailed policies and procedures?
  • Are controls in place to ensure compliance with policies and procedures outlined in the AML programme?
  • Do the policies, procedures and controls outlined in the AML programme sufficiently correspond to and mitigate the risks outlined in the risk assessment?
  • Do the controls outlined identify higher-risk operations, provide reporting methods to the board of directors, identify personnel responsible for AML compliance, address record-keeping requirements, implement risk-based customer due diligence (CDD) policies, contain detailed procedures for STR, address segregation of duties and address the process for anomalous transaction reporting?
  • Are AML responsibilities included within job descriptions?
  • Is there an incentive component for first-line employees to act in compliance with the AML programme?
Independent testing
The controls outlined in the AML compliance programme should be subject to independent testing by a suitably experienced person whether from internal audit, external audit, consultants or other qualified parties.
  • Is there independent testing of the AML programme (including risk assessment and controls)?
  • Is the testing performed in a risk-based fashion?
  • Does the testing include evaluation of the risk assessment, policies and procedures, deficiency remediation, training, suspicious activity monitoring and the relevant information systems used within the AML programme?
  • How often does independent testing occur?
  • Are the results of the testing communicated to the board of directors?
  • Do the results of the testing inform future revisions of the AML risk assessment?
US FFIEC’s key elements to a BSA/AML programmeKey questions for your organisation to consider
All relevant personnel should be trained in both regulatory requirements and the entity’s AML policies and procedures. The training should be specific to the organisation; for example, a bank’s training may focus on transaction monitoring whereas a shipping company may focus on how to identify red flags in trade-based money laundering.
  • Does the training cover all relevant personnel?
  • Does the training incorporate lessons learned from their industry or institution?
  • Is the training tailored to the person’s specific responsibilities?
  • Do those charged with overseeing the AML programme receive regular training regarding regulatory requirements?
  • Is the board of directors and executive management informed of their AML regulatory requirements?


AML risk management has become more challenging over time as regulations have become more stringent, and financial institutions, in particular, have faced larger fines where compliance programmes have been deficient.

However, it is also a time in which more detailed guidance is being developed by government [64] and non-government [65] bodies to help build robust AML programmes, technology is being developed to help entities become increasingly sophisticated in their ability to detect and monitor suspicious transactions, and partnerships are being developed to share information that allows for a more comprehensive compliance effort.

When evaluating compliance efforts, entities should be proactive, develop a robust AML compliance programme and pay particular attention to the CDD, UBO and transaction monitoring elements of that programme. As part of this effort, entities should:

  • keep up to date on changing legislation and regulations;
  • consider new and evolving technologies and typologies in the overall risk assessment;
  • where possible, share information when it allows for a more comprehensive solution to identifying money laundering; and
  • understand where to focus efforts to work towards greater AML effectiveness.


[2] Ruby Hinchliffe, ‘European Commission warns eight countries over late AML laws’, Fintech Futures (17 February 2020). The eight countries were Cyprus, Hungary, the Netherlands, Portugal, Romania, Slovakia, Slovenia and Spain.

[3] European Commission, ‘February infringements package: key decisions’ (18 February 2021).

[4] Frances Coppola, ‘Why the U.S. Treasury Killed a Latvian Bank,’ Forbes (28 February 2018).

[11] Directive (EU) 2018/1673.

[18] Section 5335 of the Anti-Money Laundering Act of 2020 (AMLA).

[19] Section 6308 of the AMLA 2020.

[20] Countries on the grey list are those found to have strategic AML deficiencies and will be subject to increased monitoring.

[22] Stephen Kalin and Rory Jones, ‘U.A.E. Placed on Global Watch List for Money Laundering, Terrorism Financing’, The Wall Street Journal (4 March 2022).

[25] In the Matter of HDR Global Trading Limited, 100x Holdings Limited, ABS Global Trading Limited, Shine Effort Inc Limited, HDR Global Services (Bermuda) Limited d/b/a BITMEX, No. 2021-02.

[26] In the Matter of Larry Dean Harmon d/b/a Helix, No. 2020-2.

[28] The Chainalysis 2022 Crypto Crime Report (February 2022).

[30] Pat Sweet, ‘Companies House regime faces major overhaul’, Accountancy Daily (7 May 2019).

[34] ‘Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing’ (3 December 2018), issued by the US Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, FinCEN, the National Credit Union Administration and the Office of the Comptroller of the Currency.

[38] European Union Agency for Cybersecurity (ENISA), ‘eIDAS compliant eID Solutions’.

[40] Bryan Richardson and Derek Waldron, ‘Fighting back against synthetic identity fraud’, McKinsey & Company (2 January 2019).

[41] Directive (EU) 2018/843.

[42] Joint Money Laundering Steering Group, ‘Prevention of money laundering/combating terrorist financing (2020 revised version)’.

[43] FATF, ‘Trade-Based Money Laundering’ (June 2006), page 5.

[44] ibid.

[46] FATF and the Egmont Group, ‘Trade-Based Money Laundering: Trends and Developments’ (December 2020).

[48] ENISA, ‘ENISA Threat Landscape 2020 – Ransomware’.

[49] FinCEN advisory, ‘Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments’, FIN-2021-A004 (8 November 2021).

[50] Services offered to mix potentially identifiable cryptocurrency funds with others to obscure the origin.

[51] Estimate from the International Labour Organization.

[52] FinCEN advisory, ‘Supplemental Advisory on Identifying and Reporting Human Trafficking and Related Activity’, FIN-2020-A008 (15 October 2020).

[53] According to a 2016 UN report.

[59] COM(2019) 370 final, Report from the Commission to the European Parliament and the Council on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities (24 Jul 2019).

[60] EBA/GL/2021/02, Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17 and 18(4) of Directive (EU) 2015/849 (1 March 2021).

[63] Federal Financial Institutions Examination Council, BSA/AML Examination Manual (2014).

[65] Basel Committee on Banking Supervision, ‘Sound management of risks related to money laundering and financing of terrorism: revisions to supervisory cooperation’ (2 July 2020).

Unlock unlimited access to all Global Investigations Review content