Case snapshot: the humble local cafe
Max pulled up the file on "The Daily Grind," a small, local coffee shop that had been a client for years. It was a "low-risk" cash-intensive business with modest, predictable daily deposits, no cross-border activity, and no complex ownership. The automated system had it flagged for standard monitoring.
Max's review showed a subtle, disquieting pattern. The cafe's deposits had been slowly creeping up, well beyond seasonal fluctuations. More recently, the deposits were no longer just cash. They were coming from a series of seemingly unrelated accounts, often in small, round-number transfers just below reporting thresholds. These funds would sit for less than 24 hours before being withdrawn via cashier's checks or wire transfers to third parties.
“This is beginning to look like a pass-through account.,” Max muttered, squinting at the ledger.
Ella, an expert at spotting these shifts, confirmed his suspicion. "They're a layering hub. The owner is using the low-risk profile as a camouflage. The model is still just looking at the original onboarding data—it's blind to the behavioral change."
Marcus, ever the pragmatist, added, “Well put, Ella! This is where the human element of the first line is crucial. Automated systems may not be tuned to catch subtle behavioral changes, but a trained analyst like Max can connect the dots and see the story behind the numbers."
Max updated the file, elevating the cafe's risk rating and documenting a clear recommendation for a Suspicious Activity Report (SAR).
Why it matters: ongoing monitoring is the key
The most dangerous financial crime typologies often don't begin with a high-risk profile. They evolve. A seemingly legitimate business can become a vehicle for illicit activity, particularly when:
- Business activity suddenly deviates from its declared purpose and historical patterns.
- Transaction volumes or frequencies spike without a clear, legitimate reason.
- Funds come from or are sent to unrelated third parties, indicating layering or smurfing.
- Account activity is a "pass-through," with funds entering and exiting quickly without a clear economic purpose.
The regulatory lens: the evolving risk profile
Under the AMLR:
- Article 26 is a core pillar. It mandates that obliged entities must continuously monitor business relationships and scrutinize transactions to ensure they are consistent with the obliged entity's knowledge of the customer, their business, and their risk profile.
- This is a fundamental shift from a one-time check to a dynamic, continuous process.
Firms are expected to detect and act on changes in a customer's risk profile over time.
Final thought: the risk that changes its stripes
The story shows how a customerś profile can fundamentally change over time, with the client's account now being used for high-risk, pass-through transactions. It's a comparison between "static risk" and "dynamic risk".
The "risk that changes its stripes" is particularly dangerous because:
- It's under the radar: The account's history and original low-risk rating act as a camouflage, allowing illicit activity to go undetected by automated systems designed to look for initial red flags.
- It requires continuous vigilance: This typology highlights that AML is an ongoing process, not a one-time check. The first line, with its human oversight and access to new behavioral analytics, is the crucial defense layer that can spot these subtle, evolving patterns.
As compliance professionals, we must understand our role and responsibilities in the bigger picture.
