Anti-Money Laundering | Red Flags to watch our for

Money laundering rarely looks like it does in the films. More often, it looks like an awkward first conversation, a customer who will not answer basic questions, or a payment that arrives from a place you did not expect. That is why anti-money laundering (AML) red flags matter. They help UK businesses spot suspicious behaviour early, protect themselves from being used to move criminal funds, and meet duties under the UK AML regime, including the Money Laundering Regulations 2017 and related reporting expectations.

This guide is for SMEs and regulated firms – including accountants, estate agents, solicitors, lenders and fintechs – that want practical indicators staff can recognise during onboarding and day-to-day work. It covers customer, transaction and documentation warning signs, explains how risk factors like high-risk jurisdictions and Politically Exposed Persons (PEPs) change your approach, and shows what ‘source of funds’ and ‘source of wealth’ checks should look like in practice. You will also learn how to triage concerns, record decisions, escalate to the Money Laundering Reporting Officer (MLRO), and understand when a Suspicious Activity Report (SAR) may be required.

For official reference points, keep these handy: the Money Laundering Regulations 2017, the JMLSG guidance, and the NCA SARs overview.

AML Red Flags: Quick Overview

AML red flags are patterns that increase the likelihood a customer, transaction or relationship involves criminal property, terrorist financing or sanctions evasion. A red flag does not prove wrongdoing. Instead, it tells you to slow down, ask sensible questions and apply the right control.

Red flags work best when they are tied to your business model. A conveyancing team expects a large one-off payment. A payments fintech expects many small transfers. An accountant expects messy records sometimes, but not a complete refusal to explain a business. So, ‘suspicious’ always lives in context.

In practice, red flags cluster into five areas:

Customer and behaviour indicators (how they act, respond and explain).
Transaction indicators (value, frequency, speed, geography and counterparties).
Evidence issues (documents that do not line up with the story).
Higher-risk categories (high-risk jurisdictions, PEPs, sanctions exposure).
Channel and product risks (cash-heavy activity, remote onboarding, crypto).

A simple rule of thumb helps staff: one small oddity can be normal. Two or three connected oddities deserve escalation.

Customer Behaviour Red Flags

Suspicious behaviour often looks like avoidance. The customer wants the benefits of your service, yet resists the checks that make the relationship safe. Staff do not need to ‘diagnose’ intent. They simply need to notice patterns and respond consistently.

Refusal, delay or obstruction of basic checks

If a customer pushes back hard on standard due diligence, treat it as meaningful. Someone with legitimate reasons will usually explain them. Someone laundering funds often tries to create urgency and move you past the point where you can ask questions.

Common behaviours include:

“I do not have time for this” when you request routine ID or ownership details.
Repeated delays providing documents, paired with pressure to proceed anyway.
Attempts to negotiate your controls (“Just accept this screenshot”).

Inconsistent stories across channels

Criminals often test organisations by giving slightly different stories to different teams.

Look for:

A mismatch between what sales heard and what onboarding is told.
Contact details that keep changing with no clear reason.
Reluctance to use any channel that creates a clear record (e.g. refusing email confirmations).

Unexplained third parties controlling the relationship

Intermediaries can be legitimate, yet unexplained intermediaries are a classic risk.

Red flags include:

A ‘friend’ or ‘adviser’ who answers everything while the customer stays silent.
Payments and instructions coming from people not named in the relationship.
A refusal to provide authority documents for representatives.

A mismatch between the customer and the service they want

Be alert when the product seems to serve secrecy rather than a genuine need. Examples include a customer who wants fast settlement at any cost, or a small entity that requests unusually complex structures for a simple deal.

Overly detailed focus on your thresholds and processes

Some customers understand compliance. However, repeated probing about thresholds, reporting and internal steps can be a sign they are trying to work around your controls.

When staff spot these behaviours, they should move from ‘friendly chat’ to ‘structured clarification’. Ask for the commercial purpose, the parties involved, and the evidence that supports the explanation.

Transaction Red Flags to Monitor

Transactions are where laundering becomes visible. Even if onboarding looks clean, payment behaviour can reveal risk, especially if you monitor patterns rather than single events.

Unusual value, frequency or speed

Sudden change can matter more than absolute value. Watch for:

A sharp jump in volumes soon after onboarding.
Many payments just below internal review thresholds.
Rapid in-and-out movements with little time in the account, with no clear purpose.

Unclear economic rationale

You do not need to understand every commercial detail. However, you do need to be able to explain, in plain language, what a transaction is for, who benefits, and why the amounts and timing make sense.

Third-party payments that do not align with the relationship

Third-party funds can be legitimate, yet they raise risk because they weaken the link between the customer and the money.

Monitor for:

Incoming funds from unrelated parties.
Multiple unrelated senders paying into one relationship.
A customer who insists you pay out to a different party than the one you dealt with.

Geographic and routing concerns

Cross-border payments are normal. The red flag appears when geography looks engineered to add distance or confusion, such as:

Routing funds through multiple countries with no clear reason.
Sudden exposure to jurisdictions never mentioned during onboarding.
Repeated use of intermediaries that the customer cannot explain.

Circular patterns and self-cancelling flows

Layering can create activity that looks busy but achieves little. Look for money that leaves and returns, or repeated reversals and ‘mistaken’ payments.

If you are building monitoring rules, start with a few high-quality alerts that staff understand. Noisy alerts lead to alert fatigue, and that is when real issues slip through.

Source of Funds Warning Signs

‘Source of funds’ means the origin of the money used for a specific transaction. HMRC describes it as the origins of the money used in a particular transaction.

Source of funds checks answer: “Where did this money come from for this deal?” They should link evidence to the transaction you are about to complete, and they should scale with risk.

Warning signs often look like a mismatch between:

The customer’s explanation.
The documents they provide.
The transaction facts (amount, timing and route).

Common source of funds red flags include:

Third-party funds with no credible link

If the customer says, “My friend is paying”, ask why, and ask how that friend obtained the funds. Gifts and family support can be legitimate, yet they still need clarity and evidence.

Last-minute changes to the funding route

For example, the customer initially says funds will come from a UK account, then switches to an overseas account or a company account right before completion. The change may be innocent, yet it increases risk, so you should re-check the story and the evidence.

Evidence that does not show a clear chain

A balance screenshot is not a chain of funds. Ideally you can trace the origin (such as salary, sale proceeds, inheritance), then the movement into the sending account, then the transfer to you.

Funds inconsistent with stated income or business activity

A single windfall can explain a large payment. However, the customer should be able to identify what that windfall was and provide evidence that matches.

Multiple small sources that do not add up cleanly

Many sources can be normal (savings plus mortgage plus gift). It becomes suspicious when sources are vague, fragmented and cannot be explained.

A practical training tool is the ‘chain test’: can we explain the path of funds from origin to us, with a plausible reason at each step?

Source of Wealth Red Flags

‘Source of wealth’ is broader. It is about how the customer acquired their overall wealth over time. HMRC describes source of wealth as the customer’s entire wealth and how the customer accrued it.

Source of wealth checks answer: “How can this customer afford this at all?” You do not need to audit someone’s life, but you do need enough comfort that the wealth story is credible, especially where risk is higher or Enhanced Due Diligence (EDD) applies.

Source of wealth red flags often show up when:

Occupation and lifestyle do not fit the transaction value.
Explanations stay vague (‘investments’, ‘business overseas’) and never become specific.
Wealth appears linked to higher-risk sectors or jurisdictions without clarity.

Common source of wealth red flags include:

Vague explanations that resist detail

Legitimate customers can usually give a simple outline of what they did and how it generated wealth. They may not want to overshare, but they can make the story coherent.

Sudden wealth with no clear event

If wealth grew quickly, a legitimate trigger often exists, such as the sale of a business, inheritance or settlement. If the customer cannot identify a trigger, escalate.

Complex structures that obscure wealth creation

If wealth flows through layers of companies, trusts or nominees, it can be hard to see who benefits and how money is made. Complexity is not illegal, yet it increases risk and usually requires deeper checks.

Keep source of wealth practical by matching evidence to the stated driver, for example: sale agreement for a business sale, bank statements showing proceeds, or documentation for inheritance. For additional context on what good practice can look like in professional services, see the SRA thematic review on source of funds and wealth.

High-Risk Countries and Jurisdictions

Geography changes risk. Some jurisdictions have weaker AML controls or are associated with higher exposure to secrecy vehicles and corruption. Because lists change, focus on how to check, not on memorising countries.

The Financial Action Task Force (FATF) publishes public documents identifying high-risk jurisdictions subject to a call for action and jurisdictions under increased monitoring. In UK practice, many firms use these FATF lists as a starting point for high-risk third country awareness.

Build a repeatable habit:

Check current FATF statements using the FATF high-risk and other monitored jurisdictions page.
Align your internal risk assessment with your supervisor or regulator expectations.
Record why you treated a jurisdiction as higher risk, including the date you checked.

High-risk jurisdiction red flags often appear when:

The customer is established in, resident in, or regularly transacts with higher risk jurisdictions.
Money routes through multiple jurisdictions with no clear reason.
The customer insists on using intermediaries or banks in places they cannot reasonably justify.

A useful staff prompt is: “What is the simplest explanation for this routing, and does the evidence support it?” If the simplest explanation is “to hide the trail”, escalate.

PEPs and Sanctions Red Flags

PEPs and sanctions concerns can overlap, yet they are not the same. PEP status increases bribery and corruption risk, so it often triggers enhanced checks. Sanctions are legal restrictions, so a breach can occur even if the customer claims legitimate funds.

Sanctions indicators

The Office of Financial Sanctions Implementation (OFSI) guidance is the best place to start for UK financial sanctions expectations, including screening and general compliance approach. See theUK financial sanctions guidance and theUK financial sanctions general guidance.

Practical sanctions red flags include:

A customer, beneficial owner or counterparty matches a sanctions list, even if they claim it is ‘someone else’.
A customer avoids giving full identifiers (full name, date of birth, company number) that make screening effective.
Payment routes, counterparties or services appear designed to avoid obvious sanctioned links.
A customer resists questions about ownership and control, especially where sanctions exposure is plausible.

PEP indicators

A PEP is not automatically suspicious. Many are legitimate. However, a PEP relationship typically calls for stronger source of wealth comfort and closer monitoring.

Escalate quickly when:

Wealth seems inconsistent with known official income.
The customer relies on intermediaries or complex structures with no clear business purpose.
The customer has close connections to high-risk jurisdictions, procurement or state-linked industries.

Operationally, it helps to separate ‘screening outcome’ from ‘risk outcome’. A PEP match is not a refusal. It is a trigger to apply your enhanced process.

Cash-Heavy Activity Red Flags

Cash creates opacity. It can be legitimate in some sectors, yet it also provides a simple way to introduce criminal proceeds into the financial system.

Large cash payments that do not fit the customer’s profile or the nature of the deal.
Repeated cash deposits or payments that look structured.
Cash delivered by third parties or multiple people.
Rapid conversion from cash to electronic funds and onward movement.

If you operate in a cash-heavy area, set practical controls that staff can follow every time.

For example:

Clear limits on when cash is accepted and what approvals are needed.
Consistent recording of who paid, when, and why cash was used.
Extra scrutiny when cash is paired with third parties, high-risk jurisdictions or high-value assets.

The point is not to ban cash automatically. The point is to remove ambiguity and create an audit trail.

Crypto and Virtual Asset Service Provider (VASP) Risk Indicators

Crypto assets add speed and global reach, which can increase risk when the origin of value is unclear. Even firms that do not offer crypto services can be exposed when customers use crypto to fund purchases or repayments.

Unclear platform and unclear ownership

If the customer cannot identify where they bought or sold crypto, or cannot show that they controlled the wallet used, you have a source of funds problem.

Obfuscation behaviour

Evidence of mixing, tumbling or deliberate ‘trail breaking’ should trigger escalation. Legitimate customers rarely need these steps to fund ordinary purchases.

Rapid conversion patterns

For example, crypto is acquired, quickly moved between assets, then cashed out into fiat, then used for a deal, with little explanation for the speed and complexity.

Document mismatch

Exchange statements, wallet data and bank records should tell the same story. If the customer offers only partial screenshots or refuses to provide transaction details, escalate.

In many cases, you can reduce risk by requesting clear exchange statements and bank statements that show the fiat cash-out into the sending account. If the customer cannot evidence the chain, treat that as a serious concern and escalate to the MLRO.

Shell Companies and Complex Ownership

Shell companies and complex ownership structures are not always illegal. The red flag is when complexity seems designed to hide who owns, controls or benefits, or when the structure makes no sense for the stated activity.

Ownership and control red flags include:

Beneficial ownership is hard to identify, or the answer keeps changing.
Use of nominees with no clear rationale.
Ownership chains across multiple jurisdictions that add opacity, not business value.
Newly formed or dormant entities carrying out high-value transactions with no credible trading history.
A complex structure supporting very simple activity.

A useful internal habit is to require a short ‘structure explanation’ note that answers what each entity does, who controls it and why this structure exists. If staff cannot write that paragraph coherently, the risk is likely too high to proceed without EDD.

Trade-Based Money Laundering Signs

Trade-based money laundering (TBML) exploits invoices, shipping and trade flows to move value. It can touch import-export businesses, logistics and any firm that finances or supports trade.

Common TBML signs include:

Over or under-invoicing compared to plausible market pricing.
A mismatch between goods, customer profile and shipping route.
Repeated circular trade or payment patterns that do not create obvious value.
Too many intermediaries with unclear roles.
Documentation quality that does not match the size and sophistication of the claimed trade.

Staff do not need to be trade specialists to spot TBML risk. They do need to ask simple commercial questions: “Who is the real buyer, why this route, and what is the basic purpose of the trade?” If answers are vague or inconsistent, escalate.

Unusual Documentation and Inconsistencies

Documentation issues are among the most common red flags. Fraudulent documents are easier to produce than ever, and even genuine documents can be used misleadingly. So, look for consistency, not only presence.

Common documentation red flags include:

Identity documents that appear altered or do not match the person.
Proof of address or bank statements that show different names, fresh accounts or cropped details.
Corporate documents that do not match public records (for UK companies, cross-check with Companies House).
Dates and amounts that do not align across documents, especially around source of funds.
Over-reliance on ‘letters from professionals’ without primary evidence.

A simple staff question helps: “Do these documents tell one story, or do they tell different stories?” If they tell different stories, pause and clarify.

EDD Triggers and When to Apply

Enhanced due diligence is the step you take when the relationship is higher risk and standard checks do not give enough comfort. Regulation 33 of the Money Laundering Regulations 2017 sets out situations where EDD is required, including cases involving high-risk third countries.

Beyond mandatory triggers, your risk assessment can require EDD where high-risk factors exist.

In day-to-day work, common EDD triggers include:

Links to high-risk jurisdictions (customer, counterparty, ownership or routing).
PEP cases and close connections to PEPs.
Complex ownership where beneficial ownership is unclear.
High-value activity that does not fit the customer profile.
Significant third-party involvement and unexplained third-party funding.
Material adverse information relevant to financial crime.
Sanctions screening hits or credible sanctions exposure concerns.

When you apply EDD, focus on targeted clarity, not volume. Good EDD increases understanding of ownership and control, commercial purpose, source of funds and wealth plausibility, and the monitoring plan you will use.

A practical EDD workflow many SMEs can run is:

Define and record the EDD trigger.
Identify what you need to resolve (e.g. explain the funding route).
Gather targeted evidence and analyse consistency.
Decide whether to proceed, proceed with conditions, pause, or exit.
Update monitoring thresholds and review frequency.

What to Do if Suspicious

Red flags only help if staff know what to do next. The goal is not to turn every concern into a report. The goal is to triage concerns, record decisions and escalate appropriately.

Pause, write down the facts and define the concern
Be specific. ‘Feels wrong’ is not actionable. ‘Customer will not explain third-party funding and insists on overseas routing with no commercial reason’ is actionable.
Ask proportionate questions and request targeted evidence
Keep questions neutral and process-led. Focus on purpose, parties and the chain of funds. If the customer cooperates and the evidence fits, you may resolve the concern.
Escalate to the MLRO or nominated officer early
If the concern persists, escalate. Provide a clear summary of what you saw, what you asked and what is missing.
Record your rationale, not just the outcome
Strong records should cover the red flags, explanations, evidence reviewed, analysis, decision and monitoring actions. This protects the business and improves learning over time.
Consider whether a SAR is required
A Suspicious Activity Report (SAR) is a disclosure to the National Crime Agency (NCA) about known or suspected money laundering or terrorist financing. The NCA explains that SARs alert law enforcement to potential instances of money laundering or terrorist financing and are submitted by many sectors. For practical reporting context, see the government guidance on reporting suspicious activities and the Law Society suspicious activity reports guide.
Communicate carefully to avoid tipping off
After a SAR is made, or when one is being considered, staff should be cautious about what they say to the customer. The NCA highlights tipping off and prejudicing an investigation risks for reporters. Keep communications factual (‘our checks are ongoing’) and follow the MLRO’s guidance.
Apply a consistent outcome
Most cases end in one of four outcomes: proceed, proceed with conditions (EDD and enhanced monitoring), pause pending clarification, or exit. Consistency reduces both compliance risk and staff stress.

Conclusion

AML red flags are most powerful when they are practical and repeatable. You do not need staff to become investigators. You need them to spot common warning patterns, ask good questions and escalate early.

Treat red flags as a trigger for structured curiosity. Clarify the commercial purpose, map the parties, follow the chain of funds, and check whether the wealth story makes sense. Then record your reasoning and involve your MLRO when concerns remain. Over time, this approach reduces compliance risk while improving real-world detection.

In this article