Money Laundering Typologies and Audit Indicators

The three-stage model is the primary analytical framework used by forensic auditors, financial intelligence analysts, and AML compliance teams worldwide. It was first articulated by the Financial Action Task Force (FATF) and remains the organising structure in FATF's typologies reports. Each stage has distinct characteristics that translate into specific audit indicators.

In practice the stages overlap and may not be clearly sequential. A cash-intensive business used to commingle illegal proceeds with legitimate revenue simultaneously places and begins to integrate: the illicit cash is deposited alongside real revenue and the combined amount is reported as legitimate turnover. Recognising which stage is in play determines which data sources and analytical methods the auditor prioritises.

Real estate is a preferred integration mechanism because property transactions involve large single values, have a degree of price opacity in private markets, and produce a titled asset that can be sold later to generate apparently legitimate sale proceeds. The typology takes several forms: outright cash purchase to avoid the financial system entirely; purchase through a chain of entities that obscures the beneficial owner; use of a mortgage to create a loan repayment mechanism that converts illicit funds to legitimate mortgage interest income; and over-valuation or under-valuation to transfer value between parties.

The audit indicators in a real estate transaction include: a purchase price that deviates materially from comparable market values with no documented explanation; a buyer who is a legal entity with no apparent operational history; funds arriving from a jurisdiction with no apparent commercial connection to the parties; multiple intermediary entities between the ultimate buyer and the title; and a rapid resale at a price that does not reflect market movements. In the UK, HM Revenue and Customs requires estate agents and conveyancers to conduct customer due diligence under the Money Laundering Regulations 2017. In the US, FinCEN's Geographic Targeting Orders have required title insurance companies in designated metropolitan areas to identify the beneficial owners behind all-cash real estate purchases.

Forensic auditors examining a suspected real estate laundering case will typically trace the funding chain from the purchase price backwards through wire records, bank statements, and corporate registrations. The goal is to identify either the original source of funds or a gap in the chain where records are unavailable or implausible. India's PMLA specifically designates real estate transactions above defined thresholds as requiring AML compliance by real estate agents, placing India's framework broadly alongside the EU and UK approaches.

Trade-based money laundering (TBML) exploits the volume and complexity of international trade to move value across borders under the cover of legitimate commerce. The FATF estimates TBML represents one of the largest mechanisms for laundering criminal proceeds globally, though the inherent difficulty of detection makes precise quantification impossible. The core mechanism is a deliberate mismatch between the price, quantity, or description of goods in the trade document and their actual commercial value.

The main TBML variants are: over-invoicing of exports (the exporter receives more payment than the goods are worth, transferring value to the exporter's jurisdiction); under-invoicing of imports (the importer pays less than market value and the difference remains offshore with a co-conspirator); multiple invoicing (the same shipment is invoiced and paid more than once through different financial channels); falsification of quality or quantity (goods are described at a higher grade or larger quantity than shipped); and phantom shipments (payment is made for goods that were never shipped). Each variant requires a complicit party on at least one side of the transaction.

Audit indicators for TBML include invoices priced significantly above or below published commodity prices with no documented quality or logistical justification; payment routing that does not follow the physical trade route (payment from a third country with no apparent connection to the transaction); multiple payments or documents for a single shipment; counterparties in jurisdictions identified by FATF as high-risk or non-cooperative; and a pattern of transactions where the same two entities repeatedly transact at inconsistent prices. Joint analysis between trade and financial records is the core forensic technique.

A shell company is a legal entity incorporated to hold assets or pass funds through an ownership chain without conducting genuine commercial activity. Used legitimately for tax planning, holding structures, and joint ventures, shells become a laundering tool when stacked in multiple jurisdictions to make tracing the ultimate beneficial owner prohibitively difficult. The layering stage of money laundering almost always involves shell structures: funds move from Company A in Jurisdiction 1 to Company B in Jurisdiction 2 to Company C in Jurisdiction 3, with different nominee directors and no common personnel, before arriving at the destination account.

Jurisdictions differ in their disclosure requirements. The UK's Persons with Significant Control (PSC) register, maintained by Companies House, requires UK companies to file the name and details of any person who owns more than 25% of shares, controls more than 25% of voting rights, or has the right to appoint or remove the majority of the board. The EU's successive AMLD directives have progressively extended similar requirements across member states, with the 5th AMLD requiring member states to make beneficial ownership registers publicly accessible. The US Corporate Transparency Act, which came into full effect in 2024, requires most US companies to file beneficial ownership information with FinCEN. India's Companies Act 2013 (Section 90) requires disclosure of significant beneficial ownership, and the Ministry of Corporate Affairs has introduced the Significant Beneficial Owner (SBO) rules.

Forensic auditors tracing shell structures use a combination of commercial corporate intelligence databases (such as LexisNexis, Bureau van Dijk Orbis, or OpenCorporates), formal Mutual Legal Assistance Treaty (MLAT) requests for records held in foreign jurisdictions, and direct registry searches in each jurisdiction where an entity appears. The analytical output is a beneficial ownership map showing each layer of the structure and identifying the natural persons at each node, with the ultimate beneficial owner at the apex. Gaps in the chain, where a record is unavailable or a nominee cannot be verified, are documented as limitations and may themselves constitute evidence of obfuscation.

Audit indicators for shell company abuse include entities with no employees, no premises, and no operational history; nominee directors appearing on large numbers of unrelated companies; incorporation dates that immediately precede the transaction under review; and fund flows that pass through multiple entities with no discernible commercial purpose at each step. The ACFE Fraud Tree and Scheme Classification places shell company corruption schemes within the corruption and financial transaction fraud categories, and auditors should cross-reference that taxonomy when classifying findings.

Transaction monitoring in an AML compliance audit assesses whether the institution's systems and processes are actually identifying suspicious activity. In a forensic investigation, the auditor conducts the monitoring directly against the bank records or financial data under review. In both contexts the underlying indicators are the same, but the purpose and output differ: compliance monitoring produces a control assessment; forensic monitoring produces evidence.

The primary transaction-level red flags recognised across FATF, FinCEN, the Financial Conduct Authority, and equivalent guidance include structuring (multiple deposits just below the reporting threshold); velocity anomalies (a dormant account that suddenly begins high-frequency transactions); round-sum transfers with no invoice or business rationale; payments to or from high-risk jurisdictions on the FATF or EU high-risk third country lists; transactions between entities with no apparent commercial relationship; and a rapid in-out pattern where funds arrive and depart within a short window without any operational purpose being evident.

Data analytics tools have become central to transaction monitoring in forensic work. Link analysis maps relationships between accounts, entities, and individuals across a large transaction dataset. Benford's Law analysis identifies statistical anomalies in the first-digit distribution of transaction amounts that may indicate manipulation. Time-series analysis identifies transaction frequency and timing patterns inconsistent with stated business activity. These techniques, applied to bank records, accounting system exports, or payment processor data, are covered in greater depth in the Evidence Gathering Methods in Fraud Examinations topic.

Forensic auditors are often retained not to investigate the laundering itself but to assess why the institution's AML controls failed to detect it. Regulators in the US, UK, and EU have imposed substantial penalties on financial institutions for AML control failures, and post-incident forensic work is a standard component of the regulatory response. The engagement scope typically covers: the transaction monitoring system's parameterisation (were the alert thresholds set appropriately, and were they reviewed periodically); customer due diligence quality (were enhanced due diligence requirements applied to high-risk customers, and was beneficial ownership actually verified); the suspicious activity reporting process (were alerts escalated and reported, or were they suppressed); and governance (did senior management and the board receive adequate reporting on AML risk).

The concept of predication, which requires some basis for initiating a forensic engagement before investigation begins, is directly relevant here. In an AML context, predication may come from a regulatory examination finding, a whistleblower report, a suspicious transaction report filed by a counterparty institution, or a law enforcement inquiry. The Predication and Engagement Planning topic addresses how forensic engagements are structured once predication is established.

A forensic AML engagement report documents control gaps with specific transaction evidence, identifies the typologies exploited through those gaps, quantifies the value of transactions that should have generated alerts but did not, and assesses whether the control failures were systemic or isolated. The report may be shared with a regulator as part of a remediation plan, used in civil recovery proceedings, or provided to law enforcement. Unlike a compliance audit report, which may be privileged and kept within the institution, a forensic AML report produced for litigation is likely to become a disclosed document and should be written accordingly.