Structuring exposes the limits of identity-led AML controls

At a glance

What this is: This is a Veriff analysis of structuring in AML and the identity controls used to detect it, with a key finding that AI-driven fraud and weak identity verification make small-transaction laundering patterns harder to spot.

Why it matters: It matters to IAM practitioners because financial crime now depends on identity assurance, account provenance, and workflow integrity as much as on transaction thresholds.

By the numbers:

• The Veriff Fraud Index 2025 reveals a 21% year-on-year increase in online fraud since 2024.
• 79% of people have been targeted by AI-generated, nerated fraud or deepfakes at least once in the past year.
• 97% of people believe strong security measures are, asures are important when signing up for a new financial service.

👉 Read Veriff's analysis of structuring, AML controls, and identity fraud

Context

Structuring is a financial crime technique that deliberately splits a larger transaction into smaller deposits to stay below a reporting threshold. In identity governance terms, the problem is not only the money movement itself but the creation of accounts, actors, and workflows that can repeatedly pass as low risk.

Veriff frames this as part of a broader fraud environment where AI-generated identities, deepfakes, and mule accounts reduce the reliability of manual review. For financial institutions, the control question is whether identity proofing, transaction monitoring, and suspicious activity reporting still form a coherent chain when criminals can industrialise account creation.

This is fundamentally an IAM and fraud-governance problem inside regulated financial operations, not just a transaction-monitoring problem. The starting position described in the article is typical: many institutions still rely too heavily on threshold checks and human escalation after the fact.

Key questions

Q: How should financial institutions stop structuring when deposits stay below reporting thresholds?

A: They should aggregate activity across accounts, branches, and time, rather than rely on single-transaction alerts. Structuring succeeds when each deposit looks ordinary on its own. Effective controls combine entity resolution, behavioural patterning, and escalation rules that spot coordination across multiple low-value events before the laundering path becomes entrenched.

Q: Why do synthetic identities make AML programmes less effective?

A: Synthetic identities weaken AML because they let criminals create accounts that look legitimate enough to receive dispersed deposits. Once those accounts exist, transaction monitoring sees ordinary customer behaviour unless the programme can link the account back to weak proofing, device reuse, shared attributes, or suspicious network patterns.

Q: What do financial institutions get wrong about structuring detection?

A: They often treat structuring as a threshold problem instead of a lifecycle problem. The real failure often begins at onboarding, where weak identity proofing enables mule accounts, and continues through fragmented monitoring that cannot connect separate deposits into one coordinated laundering pattern.

Q: Who is accountable when suspicious activity is discovered after deposits have already been accepted?

A: Accountability usually sits across onboarding, fraud, AML, and compliance teams because each control stage contributed to the outcome. The practical question is whether the organisation can show who approved identity, who monitored behaviour, and who triggered the SAR workflow when the pattern emerged.

Technical breakdown

How structuring exploits reporting thresholds

Structuring, also called smurfing, works by fragmenting one large value transfer into many smaller events that remain below a legal reporting threshold. The technique is effective because compliance logic often treats each transaction independently until aggregation logic, pattern detection, or entity linkage reveals a suspicious sequence. In practice, the laundering pattern depends on dispersion across days, branches, and sometimes institutions so that no single event looks extreme on its own. That creates a gap between transactional visibility and behavioural visibility, which is where modern AML systems must intervene.

Practical implication: build aggregation and entity-linking logic that detects repeated sub-threshold activity across accounts, branches, and time windows.

Why AI-generated identities weaken account opening controls

AI-generated identities and deepfake-assisted fraud reduce trust in the account-opening stage by making synthetic applicants look real enough to pass weak checks. That matters because mule accounts are an operational prerequisite for structuring at scale. If identity verification is shallow, criminals can create a network of accounts that later receives dispersed deposits, making the laundering pattern appear like normal customer behaviour. The technical failure is not only spoofing, but also the inability of onboarding controls to bind a real person, a stable identity, and a durable account relationship together.

Practical implication: strengthen identity proofing and account-linkage controls before deposits begin, not only after suspicious activity is detected.

How automated AML reporting changes the control chain

Automated suspicious activity reporting helps reduce manual delay by assembling the data needed for SAR filings when a pattern crosses internal thresholds. The useful part is not the form generation itself, but the fact that well-designed workflows preserve who acted, what instruments were used, where activity occurred, and why the activity was deemed suspicious. That turns compliance from a static filing exercise into a documented identity-and-transaction evidence chain. In regulated environments, this is where detection, case management, and reporting need to remain connected rather than operate as separate tools.

Practical implication: ensure case management, evidence capture, and SAR production share the same identity and transaction record.

Threat narrative

Attacker objective: The attacker wants to move illicit funds into the legitimate financial system without triggering reporting or review.

1. Entry begins when illicit cash is split into multiple deposits that each sit just below the reporting threshold, often across different days or branches.
2. Escalation follows when AI-generated identities or mule accounts are used to distribute deposits and obscure beneficial ownership across linked accounts.
3. Impact occurs when the transactions are aggregated into a successful laundering path that evades standard review and complicates regulatory tracing.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Structuring exposes an identity-assurance gap, not just a transaction-monitoring gap. The article is right to show that sub-threshold deposits are only one part of the problem. The real weakness is that financial institutions often treat account opening, ongoing behaviour, and suspicious reporting as separate controls when criminals use them as one coordinated path. For practitioners, that means AML effectiveness depends on the integrity of the identity chain, not on threshold logic alone.

AI-generated identities turn mule-account creation into a scalable operational pattern. Once synthetic identities can pass onboarding, the bank is no longer dealing with one suspicious account but with a repeatable account-factory model. That changes the governance problem from individual case review to durable identity provenance. The implication is that KYC, fraud, and AML teams need a shared view of identity confidence across the full account lifecycle.

Structured laundering is a governance problem because the control objective is distributed across multiple teams. The article shows why compliance, fraud operations, and identity teams can no longer work from isolated signals. If onboarding does not harden identity, transaction monitoring will inherit the failure downstream, and SAR output will only document the gap after the fact. Practitioners should treat AML as a cross-functional identity control plane, not a single detective control.

Identity-led AML will become the baseline expectation in financial services. As fraud becomes more synthetic and more automated, the institutions that can link personhood, account ownership, and behaviour across channels will reduce both false negatives and manual escalation load. That is not a product feature change, it is a governance maturity shift. Financial institutions should reframe AML as continuous identity validation plus transaction intelligence.

Account provenance debt: when onboarding cannot reliably bind a real identity to an account, every downstream AML control starts with inherited uncertainty. That assumption fails in the article's threat model because criminals deliberately create many low-risk-looking accounts to distribute deposits. The implication is that institutions need to rethink how much trust they assign at account creation, before structuring patterns ever appear.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Ultimate Guide to NHIs , 2025 Outlook and Predictions expands the governance view into how identity risk evolves as automation and AI adoption increase.

What this signals

Account provenance debt: when onboarding cannot reliably bind a real identity to an account, every AML control downstream inherits uncertainty. That shifts the programme conversation from isolated detection tuning to end-to-end identity assurance, especially where mule creation and synthetic identities are part of the attack path.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, identity weakness often starts long before a suspicious transaction is filed. For financial institutions, the next maturity step is connecting proofing, monitoring, and reporting into a single control narrative.

Practitioners should expect more pressure to show that AML controls are evidence-linked rather than threshold-led. That means better case traceability, stronger onboarding assurance, and clearer internal ownership for suspicious activity decisions across identity, fraud, and compliance teams.

For practitioners

• Tighten identity proofing at account opening Require stronger verification for new financial-service signups so mule-account creation becomes harder before any structured deposits can be placed.
• Link sub-threshold transactions across entities Use pattern analytics that connect repeated deposits by different people, at different branches, into the same behavioural cluster instead of treating each transfer in isolation.
• Unify fraud and AML case handling Route suspicious onboarding, behavioural anomalies, and reporting evidence into one workflow so investigators can see identity confidence and transaction context together.
• Automate SAR evidence capture Preserve who acted, what instruments were used, where activity occurred, and why it was suspicious so filings are defensible and repeatable.

Key takeaways

• Structuring succeeds when institutions focus on transaction size instead of identity provenance and behavioural linkage.
• The scale of online fraud and AI-generated deception is making synthetic account creation more practical for criminals.
• Financial institutions need a joined-up AML model that ties onboarding, monitoring, and reporting into one evidence chain.

Key terms

• Structuring: Structuring is a money-laundering technique that breaks a large transaction into smaller ones to avoid reporting thresholds. The fraud works because each transfer can look ordinary on its own, so investigators need aggregated behavioural analysis and identity linkage to see the pattern.
• Mule Account: A mule account is a bank or payment account used to receive, move, or layer illicit funds on behalf of another actor. In practice, mule accounts depend on weak identity proofing, fragmented oversight, and delayed detection that allows the account to be reused across transactions.
• Identity Verification: Identity verification is the process of confirming that an applicant, customer, or account holder is real and matches the claimed identity. In financial crime controls, it is the front door for reducing synthetic accounts, but it must be paired with behavioural monitoring to remain effective.
• Suspicious Activity Report: A Suspicious Activity Report is a regulated filing that documents transactions or behaviours that may indicate money laundering, fraud, or another crime. It is only as useful as the evidence chain behind it, which means identity, transaction context, and investigative rationale must be captured consistently.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Veriff: Structuring, fraud, and the future of banking security. Read the original.