TL;DR: AML investigations now operate under tighter reporting timelines, broader regulatory scope, and more technologically enabled fraud, with the article citing the EU’s AMLR and PSR alongside large enforcement actions and a 2-5% of global GDP money-laundering estimate from the UN. The governance challenge is no longer just detection, but proving decisions quickly, consistently, and with defensible documentation.
At a glance
What this is: This is a practical overview of AML investigations, red flags, SAR reporting, and the compliance controls that turn suspicious activity into defensible regulatory action.
Why it matters: It matters because AML programmes now have to coordinate transaction monitoring, case management, and reporting discipline across human reviewers, system-generated alerts, and cross-border obligations.
By the numbers:
- Around 2-5% of global GDP is laundered each year, according to one UN estimate.
- Known illicit addresses received at least $40.9 billion in cryptocurrency in 2024, according to the 2025 Chainalysis Crypto Crime Report.
- The UK's Financial Conduct Authority fined Barclays Bank PLC over £39.3 million in 2025 for failing to adequately manage money-laundering risks.
👉 Read Sumsub's guide to AML investigations, red flags, and SAR reporting
Context
AML investigations are structured reviews of customer activity, transactions, and risk indicators used to decide whether financial crime may be occurring. In practice, they sit at the point where transaction monitoring, sanctions screening, CDD, and human judgment meet regulatory reporting obligations.
The article frames AML as a governance problem as much as a detection problem. As reporting expectations tighten across jurisdictions, compliance teams need evidence that investigations were timely, documented, and based on a defensible understanding of customer behaviour rather than isolated alerts.
Key questions
Q: How should compliance teams structure AML investigations so they hold up in an audit?
A: Build each case around a documented decision trail. Capture the alert source, customer context, transaction history, beneficial ownership, source-of-funds evidence, escalation rationale, and final outcome. Auditors and regulators want to see that investigators used a consistent method, not just that a suspicious activity report was filed.
Q: Why do AML red flags need to be judged in context?
A: Because the same transaction can be normal for one customer and suspicious for another. Context includes expected activity, risk rating, account history, business model, and jurisdictional exposure. Without that context, teams create false positives, miss layering behaviour, and file weak reports that do not explain why the activity was unusual.
Q: How do organisations know whether their AML case management is effective?
A: Look for evidence that cases are resolved consistently, escalations are timely, SAR decisions are documented, and supporting material is easy to retrieve during review. If investigators cannot reconstruct the reasoning behind a decision, the process is too fragile for regulatory scrutiny.
Q: Who is accountable when an AML case should have been reported but was missed?
A: Accountability usually sits with the organisation’s AML governance chain, including compliance leadership, the MLRO or equivalent role, and the teams operating monitoring and case management controls. Regulators assess both the adequacy of the process and whether leadership could demonstrate effective oversight of investigation outcomes.
Technical breakdown
How AML investigations turn alerts into reportable cases
An AML investigation starts when an alert or referral suggests activity outside expected behaviour. Investigators then collect customer profiles, transaction histories, source-of-funds data, beneficial ownership details, and external intelligence, then assess whether the pattern fits legitimate activity or indicates laundering, sanctions evasion, fraud, or another predicate offence. The key technical distinction is between an alert and a case: alerts are raw signals, while cases require correlation, context, and documented judgement.
Practical implication: build a case workflow that preserves evidence from the first alert through the final reporting decision.
Why red flags are contextual, not absolute
AML red flags only become meaningful when they are evaluated against the customer’s expected behaviour, risk rating, and historical activity. Large transfers, offshore ownership structures, secretive behaviour, and rapid movement across accounts can all be legitimate in the right context. Investigators therefore need typology knowledge and profile-aware analysis, not just threshold-based screening, because the same activity can be normal for one customer and suspicious for another.
Practical implication: tune alerts around customer context, not just transaction size or frequency.
How SAR quality depends on the investigation trail
A Suspicious Activity Report is only as strong as the investigative record behind it. Effective SARs explain what happened, why it is suspicious, who was involved, when relevant events occurred, and how the conclusion was reached. That means case management, escalation, approval, recordkeeping, and monitoring are part of the reporting mechanism, not administrative afterthoughts. Without traceable reasoning, a filing may meet a deadline but still fail scrutiny.
Practical implication: require every SAR to map directly back to documented evidence and decision logic.
Threat narrative
Attacker objective: The objective is to move illicit funds through the financial system while reducing the chance of detection, reporting, or recovery.
- Entry occurs when criminals place funds into monitored systems through channels such as customer accounts, crypto wallets, or cross-border payment routes.
- Escalation happens as money is layered through multiple accounts, wallets, or jurisdictions to obscure provenance and weaken pattern-based detection.
- Impact is achieved when illicit value is integrated into the legitimate economy and reporting gaps prevent timely regulatory or law-enforcement action.
Breaches seen in the wild
- Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.
- Hugging Face Spaces breach — Hugging Face Spaces breach exposed API keys and authentication tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AML investigations are a governance control, not just a compliance task. The article correctly treats investigations as the bridge between alerts and reportable outcomes, which is where many programmes fail in practice. A system can generate alerts all day, but if investigators cannot document context, rationale, and escalation consistently, the programme is not operationally defensible. The implication is that case quality, not alert volume, is the real measure of control maturity.
Documented decision-making is the real anti-fraud control. Regulators increasingly care whether an organisation can show why a case was or was not filed, not just whether monitoring exists. That shifts the centre of gravity from tooling to evidence discipline, including source-of-funds review, beneficial ownership analysis, and retention of the reasoning trail. Practitioners should treat the investigation record as a regulated asset.
Cross-border reporting creates a jurisdictional workflow problem. AMLR, PSR, FinCEN, and FIU expectations do not align neatly, so multinational firms cannot rely on one universal filing model. Reporting deadlines, formats, and escalation thresholds vary, which means governance has to absorb local variation without fragmenting the investigation standard. The practitioner takeaway is to design one core investigative method with jurisdiction-specific reporting overlays.
Cryptocurrency has expanded the scope of AML work without changing the underlying governance test. Digital assets add speed, wallet proliferation, and obfuscation techniques such as mixers, but the investigative question remains the same: does the activity fit the customer profile and source-of-funds story? The article’s crypto examples show that blockchain visibility helps, but only when teams can translate that data into case decisions and reports.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- The next control question is not only detection but lifecycle discipline, which is why practitioners should pair this topic with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
What this signals
Case management is becoming the control plane for AML programmes. As reporting obligations tighten, the operational quality of the investigation trail matters more than the volume of alerts a team can absorb. That means firms should measure whether investigators can move from alert to documented decision without rework, not just whether a tool fires correctly.
Jurisdictional variability is now a governance design issue. The same case may trigger different filing rules, deadlines, and approval steps depending on where the business operates. Multinational teams need a standard investigative method with local reporting overlays, or they will create inconsistent outcomes that regulators can challenge.
The broader lesson is that financial crime response depends on evidence integrity across people, processes, and platforms. Teams that cannot preserve decision logic will struggle to defend SAR outcomes, especially as crypto-related flows and cross-border transactions increase the complexity of review.
For practitioners
- Tighten case escalation criteria Define exactly which combinations of alerts, source-of-funds gaps, adverse media, and beneficial ownership issues must move a case from triage to escalation.
- Standardise SAR decision notes Require investigators to record what happened, why it was suspicious, who was involved, when the activity occurred, and how the conclusion was reached.
- Align reporting workflows to jurisdiction Map local filing deadlines, confidentiality rules, and report formats for each operating region so the same case can be filed correctly across markets.
- Rehearse high-risk scenarios in training Use scenario-based exercises for crypto flows, sanctions exposure, and cross-border layering so investigators practise decisions under realistic pressure.
Key takeaways
- AML investigations fail when teams treat alerts as the end of the process instead of the beginning of a documented decision trail.
- The scale of laundering and the pace of enforcement show that weak case management creates both financial crime exposure and regulatory risk.
- Practitioners should focus on context, escalation discipline, and jurisdiction-aware reporting rather than relying on transaction monitoring alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | Case records and SAR evidence need protected handling and retention. |
| NIST CSF 2.0 | RS.AN-1 | AML investigations are analysis workflows after alerts or referrals. |
| NIST SP 800-63 | Customer due diligence and identity proofing underpin suspicious activity assessment. |
Protect investigation evidence with access controls, retention rules, and tamper-evident case records.
Key terms
- Suspicious Activity Report: A Suspicious Activity Report is a formal filing to a financial intelligence unit or equivalent authority when a firm identifies activity that may indicate money laundering, fraud, sanctions evasion, or another financial crime. The report should explain the facts, the rationale, and the decision reached.
- Customer Due Diligence: Customer Due Diligence is the process of identifying a customer, understanding the nature of the relationship, and assessing risk before and during an account’s life. In AML investigations, CDD provides the baseline that investigators use to judge whether current activity is consistent with expected behaviour.
- Beneficial Ownership: Beneficial ownership refers to the real individuals who ultimately control or benefit from an entity, even if they are not the named account holder. AML teams use it to uncover hidden control structures, identify risk concentration, and explain why a customer profile may not match observed activity.
- Case Management: Case management is the controlled process of tracking alerts, investigations, escalations, evidence, decisions, and retention in one governed workflow. In AML programmes, it is the mechanism that turns raw monitoring output into auditable action and defensible reporting.
What's in the full article
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step AML investigation workflow from alert triage to SAR filing and ongoing monitoring
- Jurisdiction-specific guidance for FinCEN, UKFIU, and cross-border reporting obligations
- Examples of AML red flags across customer behaviour, source of funds, ownership structures, and crypto flows
- Practical case management and training considerations for teams handling suspicious activity at scale
👉 The full Sumsub article covers reporting rules, red flags, and investigation workflow in more detail
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, machine identity security, IAM, human identity, identity lifecycle, secrets management, and workload identity. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org