Layering Techniques: 10 Money Laundering Patterns

Most regulatory enforcement actions involving large-scale money laundering describe layering in detail because layering is where the financial system actually facilitates the underlying crime. Placement gets the funds in; integration makes them look legitimate; layering is the work that makes the audit trail unfollowable in between. The serious cases involve layering chains of dozens of transactions across multiple jurisdictions over weeks or months — and the screening that exists at any single point in the chain typically saw nothing unusual at all.

The detection problem is structural. A wire transfer of $4.8 million between two corporate accounts looks identical whether it represents legitimate intercompany settlement or one hop in a layering chain. A crypto purchase looks the same whether the funds came from a salary or from a previous layering hop. The signal that distinguishes layering from legitimate activity emerges only when you look at sequences of transactions, counterparty patterns, and behavioural baselines — never at single events.

The patterns below appear repeatedly in published FATF, FinCEN and OFAC enforcement actions. They are not an exhaustive list — sophisticated networks combine techniques and invent new ones — but together they cover the substantial majority of layering activity that production transaction monitoring is asked to detect.

Funds move through 3–7 banks in sequence within a short window — often hours rather than days. Each hop sits within normal payment parameters; the chain as a whole moves the underlying value from the launderer's first account to a destination that has no documented connection to the source. Detection signal: outbound wire shortly after inbound wire of similar amount, repeated across the same customer or counterparty.

Wire chains routing through multiple jurisdictions — particularly through jurisdictions with weaker information-sharing arrangements (selected Gulf, Caribbean and Pacific jurisdictions). The geographic complexity is engineered rather than commercially driven. Detection signal: routing patterns inconsistent with the customer's declared business model, particularly through jurisdictions on the firm's elevated-risk country list.

Fiat proceeds purchase crypto on one exchange, transfer to a wallet, transfer to a second exchange (often in a different jurisdiction), and convert back to fiat on the destination side. The crypto rail introduces an audit gap that traditional banking layering does not have. Detection signal: rapid crypto purchase followed by withdrawal to an external wallet, particularly to wallets associated with known mixing services or sanctioned addresses.

Funds flow from the launderer to a shell company they control, then back to another account they control — typically through a payment characterised as a loan, consulting fee, or invoice settlement. The round-trip creates a documentation trail that makes the receiving account appear to have a legitimate inbound source. Detection signal: transactions between counterparties with shared beneficial ownership, particularly with reciprocal flows. See shell company red flags for the underlying counterparty patterns.

Trade documentation — invoices, bills of lading, packing lists — used to move value between counterparties while disguising the underlying transfer as commercial settlement. Common techniques include over-invoicing (paying more than the goods are worth), under-invoicing (paying less, with the difference settled separately), phantom shipments (paying for goods that never shipped), and multiple-invoicing (paying multiple times for the same shipment). Detection signal: invoice values materially deviating from market price for the declared goods, particularly across repeated transactions with the same counterparty.

Funds moved repeatedly between accounts at the same institution, or between accounts at affiliated institutions within the same banking group. The internal transfers create activity volume without leaving the institution's perimeter — and each individual transfer often falls below internal monitoring thresholds. Detection signal: high-velocity intra-customer transfers without commercial rationale, particularly between accounts of related entities.

Cash exchanged for casino chips, chips held briefly without significant gambling activity, then redeemed for a casino-issued cheque — converting cash into bank-deposit-eligible instrument with the casino as the apparent source. Detection signal applies primarily to gaming-licensed institutions and to banks receiving casino-issued cheques; the pattern is recurring redemptions disproportionate to declared gaming activity.

Property purchased and resold within a short period — often months rather than years — with the resale generating apparently legitimate sale proceeds. The transaction documentation creates the appearance of property investment income, masking the underlying laundering. Detection signal: customer income patterns dominated by property sale proceeds from properties held briefly, particularly through corporate vehicles in cash-intensive markets.

Funds moved through brokerage accounts via purchases and sales of liquid securities, with the resulting cash balance withdrawn or transferred. Where the trading itself is loss-making or trades against the customer's economic interest, the activity functions as layering rather than investment. Detection signal: trading patterns with no economic rationale, particularly low-volume securities or instruments where price-impact suggests deliberate execution rather than directional trading.

Funds loaded onto pre-paid cards in one jurisdiction, used or unloaded in another. The cards function as portable, anonymous-ish value transfer instruments — particularly the higher-limit varieties available in some markets. Detection signal applies primarily to issuers and to banks settling pre-paid card networks; the pattern is high-volume card loading without corresponding spending pattern, especially card-to-card transfer.

A defensible layering-detection rule library covers the major patterns without producing intolerable false-positive volumes. Five design principles consistently distinguish effective libraries from ineffective ones:

• Customer-specific baselines. Each customer has an established transaction pattern — typical counterparties, typical volumes, typical timing. Rules should fire on deviations from that baseline, not on absolute thresholds applied uniformly across customers.
• Multi-event composition. Effective rules look at sequences. "Outbound wire shortly after inbound wire of similar amount" is a stronger signal than "any outbound wire" — the composition is what defines the pattern.
• Counterparty-graph integration. Rules should have access to the counterparty's risk profile, ownership relationships and historic transaction patterns. A wire to a counterparty that the firm has never seen before is a different signal from a wire to a counterparty the customer transacts with monthly.
• Time-window calibration. Each rule needs a time window appropriate to its underlying pattern. Wire chains operate on hours-to-days; TBML on weeks-to-months; round-trips can span quarters. Single time-window rules miss patterns operating on different cadences.
• Feedback loop on disposition. Every alert disposition feeds back into rule calibration. Rules with persistently high false-positive rates need threshold or attribute adjustment; rules with persistent miss reports (cases identified by other means) need expansion.

For broader context on transaction monitoring architecture, see our companion guides to AML / CFT obligations and the upcoming Cluster C posts on rule tuning and alert triage.