Subscribe to the Non-Human & AI Identity Journal

Layering

Layering is the process of moving funds through multiple accounts, entities, or assets to obscure their origin. In fraud operations, it creates distance between the initial crime and the final cash-out point, which makes investigation, recovery, and attribution much more difficult.

Expanded Definition

Layering is the stage of financial crime in which illicit proceeds are moved through multiple accounts, entities, instruments, or jurisdictions to break the audit trail. In anti-money laundering practice, it sits between placement and integration, but definitions vary across vendors and enforcement contexts because the same pattern can appear in fraud, sanctions evasion, and organised crime. The core security meaning is not simply “moving money”; it is using complexity to make ownership, source, and destination harder to prove.

For practitioners, layering often includes rapid transfers, pass-through accounts, conversion into higher-friction assets, or the use of shell entities and intermediaries. Guidance from the Financial Crimes Enforcement Network and control-oriented models such as the NIST Cybersecurity Framework 2.0 help teams think about detection, traceability, and response, even when the term itself is not a cybersecurity control. The most common misapplication is treating every multi-step transfer as layering, which occurs when normal treasury, payroll, or settlement flows are misread without transaction context.

Examples and Use Cases

Implementing layering detection rigorously often introduces more alert volume and investigative friction, requiring organisations to weigh financial crime coverage against false-positive burden and customer impact.

  • A fraud ring moves stolen funds from a compromised payment account into several mule accounts before converting balances into crypto or gift cards.
  • A shell company receives payments, forwards them through related entities, and returns funds as “consulting” revenue to disguise the original source.
  • An account is used for rapid in-and-out transfers across jurisdictions, with each hop reducing the visibility of the original counterparty.
  • An investigator maps the transaction path against typologies described in the Ultimate Guide to NHIs to identify whether compromised service accounts or API keys were used to trigger the movement.
  • A bank applies screening rules informed by FATF guidance to flag nested transfers, unusual beneficiary changes, and asset conversion patterns that suggest concealment.

In digital environments, layering can also intersect with identity and access misuse when attackers leverage compromised credentials to initiate transfers that appear operationally legitimate.

Why It Matters for Security Teams

Layering matters because it turns a single suspicious payment into a distributed investigation problem. Once proceeds are fragmented across accounts, wallets, or business entities, response teams lose time reconstructing ownership and purpose, and recovery odds typically decline. For financial institutions, marketplaces, and platform operators, the challenge is not just detection but attribution: spotting when a sequence of otherwise ordinary transactions becomes a concealment chain.

This term also intersects with NHI governance when automation is involved. The Ultimate Guide to NHIs notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is relevant because compromised machine identities can be used to trigger high-velocity transfers or manipulate records at machine speed. NHI Management Group also reports that only 5.7% of organisations have full visibility into their service accounts, which makes it harder to distinguish legitimate automation from abuse. Teams that ignore layering usually discover the issue only after reconciliation fails, at which point transaction tracing becomes operationally unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Ongoing monitoring helps detect abnormal transaction patterns that may indicate layering.
NIST SP 800-63 AAL2 Stronger identity assurance reduces account takeover risk that can enable fraudulent transfer layering.
OWASP Non-Human Identity Top 10 NHI governance is relevant when machine identities are abused to move or obscure funds.
NIST AI RMF AI risk management supports decisioning systems used to flag or explain suspicious layering patterns.

Inventory and protect machine identities that could be used to trigger concealed financial activity.