When two red flags collide: dormant meets flow-through

Aug 6 / Leonard Nwogu-Ikojo

A fictional case study of a dormant personal account that suddenly springs to life, moving €75,000 through offshore transfers and crypto exchanges in less than two days—then goes quiet again. What looks like a harmless anomaly quickly reveals a high-risk pattern:dormant reactivation meets flow-through behaviour. This story illustrates how combining seemingly separate red flags can uncover sophisticated laundering activity that single-rule monitoring might miss. As EU AML standards evolve, it’s clear that risk rarely acts alone—and that true detection lies in recognising when multiple warning signs converge.




This article is intended for educational and informational purposes only and does not constitute legal, regulatory, or professional compliance advice. The scenario and recommendations provided are illustrative and may not capture all applicable requirements or risks in specific cases. Readers should follow their organization’s internal policies, data protection requirements, and seek professional advice tailored to their circumstances.

Case snapshot: The account that woke up just to move on

Luc scanned the morning’s transaction monitoring queue and paused on an alert that didn’t look dangerous—at first.

A personal current account, dormant for over 18 months, had suddenly come alive. Within 48 hours, it received three inbound wire transfers totalling €75,000, each from unrelated offshore companies. No notes. No context. Within hours, the funds were wired out again—some to a crypto exchange, the rest to a bank in another EU country.

The balance went back to nearly zero.

Ella pulled up the profile: a former freelance consultant who hadn’t updated their business information in years. Recently, they'd changed their phone number and mailing address—but offered no explanation for the sudden spike in activity.

“Dormant accounts don’t just wake up and become high-speed transit hubs,” Marcus said, leaning over the case notes. “This one’s ticking two boxes: dormant reactivation and flow-through movement. That’s not random.”

Luc filed a Suspicious Transaction Report (STR) and escalated the case for a broader review. It wasn’t just a technical anomaly—it was potentially a laundering pathway hiding in plain sight.

Why combining rules reveals the real risk

Transaction monitoring systems often rely on discrete rules to flag irregular activity. But real-world laundering doesn't happen in neat categories. Criminals often combine techniques—so monitoring systems must do the same.

Rule #1: Dormant account reactivation

This rule triggers when an account previously flagged as dormant (no activity for a defined period) suddenly resumes activity. Reactivation is not inherently suspicious—people restart businesses, receive inheritances, or change jobs—but when reactivation involves unexplained or high-volume flows, it raises risk.

Dormant accounts are prime targets for misuse. This is because they often fly under the radar of routine scrutiny, lack a recent history of legitimate transactions for comparison, and may be operated with compromised credentials or by a money mule—either recruited knowingly or unknowingly.

Rule #2: Flow-through behaviour

Flow-through accounts act as temporary conduits: funds arrive and exit quickly, often without any retained balance or underlying business activity. Red flags include:

  • High-volume inflows and outflows within a short time frame
  • No clear purpose or economic rationale
  • Rapid fund dispersal to multiple third parties
  • No alignment with the known customer profile or declared income

This pattern often shows up in layering, trade-based laundering, and professional money laundering networks.

The power of rule fusion: 1 + 1 = escalation

Alone, each rule tells part of the story:

  • A dormant account coming back online is unusual.
  • A flow-through pattern suggests possible layering.

Together, they form a high-risk scenario that merits immediate review. Why? The dormant account provides stealth and reduced scrutiny, while the flow-through pattern offers speed and camouflage. In combination, they create an ideal channel for quick, untraceable laundering with a significantly reduced chance of early detection.

This approach aligns with the EU’s evolving AML framework, including the recent and forthcoming changes. EBA Guidelines on ML/TF Risk Factors (EBA/GL/2023/03) emphasise the importance of identifying behaviour that departs from a customer’s known profile, citing the sudden activation of a dormant account and unusual transaction patterns. This underscores that a holistic, risk-based view is not just a best practice, but a core component of regulatory compliance.

Beyond the system: Investigative questions to ask

Luc’s team built their case not only on alerts, but on investigation. They asked:

  • Has the account holder provided a credible reason for reactivation?
  • Are the counterparties known, or linked to higher-risk jurisdictions or industries?
  • Is there any economic rationale for receiving and immediately forwarding funds?
  • Does the customer profile reflect income or transactions of this scale?
  • Could the customer be an unwitting mule?

Answering these questions helped build a compelling STR narrative—not just a description of anomalies, but a hypothesis of laundering behaviour based on converging risks.

Final thought: Risk doesn’t act alone

In AML, isolated alerts are noise. But when two or more risk signals converge—especially across behavioural dimensions—they often signal active criminal misuse.

That’s why modern transaction monitoring must evolve from rule-based to risk-based logic—prioritising scenarios where red flags overlap.

Because sometimes, it's not what the account does—but what it suddenly starts doing, and how fast—that tells you everything you need to know.


Created with