Money laundering and AML compliance

Patrick McKenzie (patio11)

Continuing from our discussion of Know Your Customer (KYC) regulations, we have the closely related duty of financial institutions to have anti-money laundering (AML) policies. Much like KYC, I think there is more nuance here than broadly appreciated.

But before we get to that, let’s start with the easy bits.

What is money laundering?

Money laundering is, effectively, a process crime. We criminalized it not because of the direct harms, but because it tends to make other interdiction of criminal activity more difficult.

Money laundering covers anything which obscures the link between another crime and the proceeds of that crime. This is intentionally extremely vague and expansive. The victim is, take your pick, either the state or the financial institutions the state has deputized to detect it.

Interestingly, in many cases the victim will be a co-conspirator, at least on some level. Money laundering definitionally happens with the assistance of the financial sector. The amount which happens with knowing assistance is a matter of some dispute. The reason Compliance departments are so thorough in explaining to all employees what money laundering is is that often it looks like creative solutions to the financial challenges posed by the complexities of a customer’s business, i.e. the thing society expects financial institutions to charge money for solving.

This often results in a sort of principal/agent problem where a firm would, in its heart of hearts, prefer to not facilitate money laundering, but where individual employees of the firm might follow their local incentive gradients into knowingly facilitating it anyway. And, indeed, a substantial portion of the job of Compliance departments is surveilling not the customers but the employees of the bank.

A word on nomenclature: we often speak of “clean” and “dirty” money. In many countries, you’ll hear a reference to white / black / gray money. (This is less common in the U.S. In part this is simply an elevator versus lift distinction in regional usage of English. In part this is because some Americans in the financial industry will involve HR if you describe money as having a color other than green. There are, of course, many speakers of English for whom the history and current relevance of U.S. race relations do not pose strong concern relative to, for example, domestic public corruption. See, among many other places, the delightfully named White Paper on Black Money.)

Whichever way you refer to this property of money, it is important to understand that this is… a social construct? Money is neither dirty nor clean in the state of nature. Money doesn’t even exist in the state of nature. It is magicked into being by an agreement between human minds.

Paper bills don’t have an endorsement, and databases don’t hold a column, that says certain money has been laundered or not. That is a necessarily subjective belief held by certain actors about a consequence of the action of others. It happens to be directly relevant to a subject we often believe can be measured precisely and objectively. This superposition of belief causes substantial confusion among policymakers, the financial industry, ordinary users of the financial system, and even criminals.

(If you are a technologist interested in the category of relevant metadata which is almost immune to attempts to document or store it, I recommend the classic essay Colour of Bits.)

The stages of money laundering

Breaking Bad produced the best four minutes of educational material ever on the stages of money laundering, so much so that serious Compliance departments routinely show the clip during mandatory training. But to reduce it to writing: placement, layering, and integration.

Placement: historically, most money laundering began with cash earned from illegal activities. This is increasingly untrue as cash becomes broadly less salient in society, but we’ll hew to the usual triad. Placement was the act of getting that cash into the regulated financial system.

Among other things, this typically involved circumventing KYC controls, because you are highly unlikely to have declared your profession as Drug Dealer to your bank. We'll return to some cash-based AML enforcement requirements in a moment.

Layering: optionally, to frustrate investigators (or, more commonly, decrease the amount of scrutiny from Compliance departments), money launderers could bounce money around the financial system prior to it arriving at its final destination. Hops between accounts, financial institutions, and legal jurisdictions make reconstructing funds flows much more difficult.

Classically this was often done by wiring money between shell corporations controlled by the money launderer with several of them existing in jurisdictions with other-than-ingratiating compliance postures. These days we sometimes see echoes of it in e.g. cryptocurrency heists, where criminals might swap assets between various chains before attempting to exfiltrate from the cryptocurrency ecosystem(s) to money.

Integration: the final goal of a money launderer is to have clean money within the regulated financial system, or alternatively non-financial assets with clean provenance that can be either operated or sold for clean money.

This is one of the reasons why a lot of money of dubious provenance ends up purchasing real estate. A stream of rent from a legitimate tenant is per se legitimate. The proceeds of a real estate sale will look very legitimate, absent substantial effort to investigate a complicated series of transactions which might be years ago.

And, due to quirks of the real estate industry, many legitimate transactions are highly effective money laundering in every respect other than being perfectly normal. You can set up a corporation whose only reason to exist is to own one apartment building. That building could be purchased with a wire from a lawyer’s escrow account. The bank receiving the funds into escrow would, if they enquired further, likely accept “I’m an attorney and this is to fund a client’s purchase” as a full and adequate response under their AML policies.

This is not the unique way that e.g. Russian oligarchs purchase apartment buildings. It is simply how one purchases an apartment building. (There exists some desire to bring real estate professionals into the AML fold via new regulation. Real estate professionals are numerous, politically influential, and are less intrinsically creatures of state action than financial institutions are, and so these efforts have made little headway in most jurisdictions despite upwards of a decade of trying.)

Speaking of Russian oligarchs: we ordinarily expect laws to be written down and then relatively impartially enforced. In the specific case of AML, changing political winds have moved particular transactions involving oligarchs from a declared policy goal of Western governments ("economic integration of Russia with the West") to a policy anti-goal ("supporting the Putin regime"). We discussed this previously. This has the effect of making previously supportable transactions now unsupportable, and an interesting function of this compliance regime is communicating that change without acknowledging that it actually happened.

A related issue is the challenge of having an AML policy in a region where a) banks have wealthy clients b) they want to do typical wealthy client things c) the wealth is not, strictly, clean but often because d) it was generated circumventing laws against private property ownership, which neither bankers nor bankers' governments give much moral deference to.

I will note that a challenge with economic integration is that the same market structures organically developed to circumvent The Wrong Sort Of regulation of private enterprise are also effective at circumventing The Right Sort Of regulation of private enterprise. And so regulators want bankers to tell customers not just to change the way they do business but to accept strictly less-functioning ways of doing business. Neither bankers nor clients really love being made to pay the price for society's goals here.

What AML looks like in practice

Much like KYC, AML policies are recursive stochastic management of crime. The state deputizes financial institutions to, in effect, change the physics of money. In particular, it wants them to situationally repudiate the fungibility of money. (Fungibility is the property that $1 is $1 and, moreover, that you are utterly indifferent between particular dollars.) They are not required to catch every criminal moving money (that would not be a positive result!)

They are required to have policies and procedures which will tend to, statistically, interdict some money laundering and (similar to how we discussed for KYC) trigger additional crimes when accessing the financial system. Particularly in U.S. practice, one sub-goal of this is maximizing the amount of assets which will be tainted by money laundering and then subject to forfeiture proceedings.

And so financial institutions will have a policy which promises that, for each type of customer they have, they will do basically two things. They will gain an understanding of what normal behavior is for the customer, through upfront underwriting (often connected with the KYC process) and ongoing monitoring. And then they will flag anomalous transactions and investigate them. This could include obligations to block them, report them to the government, or both.

And so every financial institution of any size has a Compliance department. One of their functions is having a technological system which will sift through the constant stream of transactions they produce and periodically fire “alerts.” Those alerts go to an analyst for review.

This implies floors upon floors of people who read tweet-length descriptions of financial transactions and, for some very small percentage, click a Big Red Button and begin documenting the heck out of everything. This might sound like a dystopian parody, and it is important to say specifically that this is not merely standard practice but is functionally mandatory.

The right orders of magnitude to think of are “tens of millions of transactions flagged” and less than 5% requiring a report.

Another way to think of it is that private industry employs roughly as many intelligence analysts as the intelligence community does; the rough order of magnitude is "tens of thousands." How do you want to spend your Friday? They are going to spend theirs doing what they always do; actioning transaction reports.

Documenting placement, as well as totally innocuous transactions

One reporting obligation is targeted specifically against placement, and encodes a presumption against the legitimacy of large amounts of cash. The threshold mandating a report is $10,000 in the U.S. and U.S. practice is so dominant here that this threshold has expanded virally into the regulations and laws of foreign countries.

The report is formally called a Currency Transaction Report (CTR). (I swear, a good portion of AML is memorizing a blizzard of acronyms to pretend there is much more substance to the field than actually exists.) CTRs are not evidence of a crime. They are not, in most cases, even evidence that any human even suspected a crime. They are a process tripwire designed to be easily sidestepped by ordinary members of the public while creating copious evidence of process crimes by cash-using criminals.

Do they actually function in this way? Well, many people (frustratingly, including some bank tellers) believe that cash transactions above $10,000 are forbidden. This is utterly not the case, but it is believed by many, and contains a core of truth (that $10,000 is considered a legally significant threshold). So they might find themselves having $15,000 in cash and deposit it in two transactions, $9,000 and $6,000. Clever, right?

That is called “structuring” and structuring is a crime, even with no predicate offense. It can be utterly legal money, but if you transact in it with the intent to avoid the CTR filing requirement, that act in itself is a crime. Frustratingly, sometimes a random walk down financial transactions which happen to involve cash looks indistinguishable from structuring. This has caused actual, toothy legal consequences for people who (sensibly) did not know that "structuring" existed as a concept.

I feel it necessary to say explicitly that CTRs apply only to cash. The government cares far less about checks or credit card transactions in the amount of $11,000 because those embed their own paper trail.


The other form of report is the ominously named Suspicious Activity Report (SAR). It is a formalization of “we found something fishy during the otherwise routine operation of our financial institution.”

There is an actual software artifact that financial institutions must interact with to file SARs. Without showing you the UI for it, suffice it to say that the median submission is effectively an interoffice memorandum about two to four pages in length written by an AML analyst for an audience of “probably no one but, if it is ever read, by a law enforcement officer.”

The actual probative value of SARs varies wildly; at the top of the spectrum, they can include sufficient investigatory work and documentation, produced by the analyst at the financial institution, to lead to convictions for e.g. human trafficking.

Across the financial industry, that SAR is wildly outnumbered by “Mohammed tried to do something, we didn’t let him, and when we told him that he became agitated.”

An example from here in Japan: an immigrant attempted to wire the equivalent of $600 to his cousin in Africa. He was asked the purpose of the wire and said it was for a tuition payment. Bank staff asked for supporting documentation like e.g. a tuition statement or student ID card for the cousin. The customer refused to provide that documentation. The bank refused the wire. The customer accused the bank staff of racially profiling him and raised his voice.

I was not a party to that transaction and, for clarity, it did not involve any employer or business partner of mine. I winced when reading a news report about it, because this is practically ripped from Compliance training. The customer is absolutely right and they are very likely getting a SAR filed on them.

This will likely have zero legal effect, for reasons we’ll get into in a moment. However, SARs are relatively expensive for a bank to process. A client who produces an excessive number of them will be judged as ipso facto a compliance risk. This means that clients who generate SARs will often be forcibly offboarded with the fact of the SAR being filed being the true reason for the offboarding.

At many institutions, one SAR is a non-event. Two, for a retail client, means one gets a letter saying the bank wishes you the best in your future endeavors and will not bank you anymore. That letter will often mention that this is a commercial decision of the bank and will not be reversed. Some clients receiving that letter will, on attempting to open account at a different bank, get refused because the first bank entered them into Chexsytems as “account closed at bank’s discretion” and the second bank, on reviewing that entry, said “yep, we are not touching this hot potato.”

Frustratingly, regulators will say “Well, that is the bank’s decision. We didn’t direct them to do that.”, even though the purpose and effect of AML regulations is causing a lot of behavior not specifically asked for. Banks will, meanwhile, say “Our hands are tied. Look at these enforcement actions. Clearly, this is an unacceptable level of risk.” And meanwhile, there is an actual person who has done nothing wrong and now finds themselves somewhere between greatly inconvenienced and frozen out of the financial system entirely.

In the U.S., SARs gather up in piles at the Financial Crimes Enforcement Network (FinCEN). Most are write-once read-never. The dominant way they are actually used is that, when someone comes under criminal suspicion for other reasons, law enforcement runs their name through FinCEN. That will, some of the time, turn up sufficient threads about their money laundering to allow investigators to send letters to the relevant financial institutions to get full account histories.

“You almost sound like a cryptocurrency enthusiast, Patrick”

I think the thing that cryptocurrency enthusiasts are rightest about, which is broadly underappreciated, is that the financial system has been deputized to act as law enforcement. This will affect the typical user of the financial system precisely zero times during their lives. There is widespread consensus among policy elites that, at prevailing margins, we should tighten screws within the financial industry to interdict dirty money and accept some incidental increase in minor imposition.

People at socioeconomic margins, however, will tend to experience this transactional friction quite frequently. Some people in the finance industry get their education in AML at mandatory Compliance training. I got mine by being an immigrant. I have jokingly referred to myself as a Japanese Regional Bank Wire Transfer Compliance Influencer due to the frequency at which I interact with AML fun.

I have some advantages in dealing with this fun, such as being socially established, a desirable bank customer, and sophisticated with regards to banking regulation. Most people at the socioeconomic margins do not share these advantages.

Is this tradeoff worth it? I wish that society and policymakers more closely scrutinized the actual results obtained by AML policies. Plausibly we get sufficient value out of AML to have people attend mandatory diversity training at 1 PM, Banking the Underbanked seminar at 2 PM, and then AML training at 3 PM, while experiencing very little cognitive dissonance.

But if that case can be made, then let it be made. I find the opposing case, that AML consumes vast resources and inconveniences legitimate users far out of proportion to positive impact on the legitimate interest of society in interdicting crime, to be very persuasive. (It is occasionally made in the literature.)

Bonus Japanese Regional Bank Wire Transfer Compliance Influencer Content

Alameda Research made its initial money in defeating AML controls at Japanese regional banks. They described it as an “arbitrage opportunity” because Bitcoin was more expensive at Japanese exchanges than at U.S. exchanges.

Mechanically, to profit from the arbitrage, you'd buy BTC with dollars, send to Japan, sell for BTC for yen, exchange your yen for dollars, and send those dollars back to the U.S. Then, you repeat this, at high velocity, for high amounts transacted, until the price converges in both locations.

The arbitrage existed because, in the wake of the Mt. Gox implosion, the Financial Services Agency (Japan’s banking regulator) told Japanese banks to be extremely skeptical of cryptocurrency businesses.

Alameda recruited a Japanese national to be the director of a Japanese company (both of these are considered less risky than the alternatives), then found a regional bank with weak compliance controls, and moved tens of millions of dollars daily through them with wires.

So the arbitrage profits that Alameda harvested for this trade was, effectively, payment for being the one actor in the ecosystem which combined a) willingness to transact in Bitcoin in both the U.S. and Japan and b) willingness and capability to suborn a Japanese bank.

And so we come full circle: at which point was Alameda Research laundering money? I would say “No later than January 2018.” Their then-CEO described the mechanism and rationale for doing it extensively, including describing it as “the sketchiest thing in the world” and that a typical compliance officer would conclude it was “obviously money laundering.” Those are quotes.

But, from a legal realist perspective, Alameda Research began laundering money in November 2022, at the precise moment that FTX and its principals lost the trust of governments and financial institutions. Prior to that, they were just really good at answering questions from compliance departments.

I think the world extensively underrates the portion of all economic activity done by that group of entities which traces to the superpower “really good at answering questions from compliance departments.” They were the de facto compliance layer for Tether, which is pathologically bad at answering questions from compliance departments. It is “quilted out of red flags.”

Alameda performed placement in the U.S. for Bitfinex/Tether and their customers. They moved money into and out of Tether's purported reserves. Their contemporaneous explanation was that they were operating an OTC desk. They, likely, told banking partners that they had a KYC/AML program in place for customers.

“Did Alameda factually perform tens of billions of dollars worth of OTC transactions on behalf of unaffiliated customers?”, he asked, rhetorically.

And so the AML questionnaires of various financial institutions, seemingly collecting nothing useful in the moment, are destined to be cited at length in current and future litigation. See, for example, Count Seven. I strongly doubt that will be the last we hear of the matter.

← Improving how credit cards work under the covers
BAM's Early Adopter discount ends soon →

Want more essays in your inbox?

I write about the intersection of tech and finance, approximately biweekly. It's free.