Smurfing & Structuring: Detection Patterns for Compliance

Structuring is the canonical placement-stage typology and one of the few money-laundering controls with an explicit criminal offence attached in most jurisdictions. The US Bank Secrecy Act criminalises structuring directly under 31 USC §5324; equivalent statutes exist in MAS-, FCA-, AUSTRAC- and FinCEN-regulated jurisdictions. The legal foundation makes structuring detection both inspection-critical and prosecution-relevant: a clean structuring case typically supports both a Suspicious Activity Report filing and a referral for potential criminal investigation.

The detection problem is conceptually simple but operationally subtle. Identifying cash deposits just below USD 10,000 is straightforward — any transaction monitoring system can run that rule. Identifying the broader pattern of intent to evade reporting requires looking at sequences of transactions, customer behaviour over time, and the relationship between cash activity and the customer's declared business model. That second layer is where most programmes have gaps.

The patterns below cover the substantial majority of structuring activity seen in production transaction monitoring. They are mutually overlapping — most real cases combine two or three — and they should each have dedicated detection rules.

Repeated cash deposits in the $8,000–$9,800 range over a short period (typically days to weeks). The amount stays consistently below the CTR threshold but the aggregate exceeds it. Detection rule: cumulative cash deposits within rolling time windows (7 days, 14 days, 30 days) exceeding configurable thresholds, with sub-threshold individual amounts.

Cash deposits made on the same day across multiple branches of the institution, each sub-threshold, aggregating to a reportable amount. The geographic spread is designed to avoid same-branch aggregation rules. Detection rule: aggregate cash deposit across branches by customer per day, flagging where any aggregate exceeds threshold with individual deposits below.

Cash deposits in clean round numbers immediately below threshold — $9,000, $9,500, $9,900 — repeated across multiple instances. The pattern is structurally clear because legitimate cash deposits do not concentrate in narrow bands just below regulatory thresholds. Detection rule: density of deposits in the immediate-sub-threshold band relative to the customer's broader deposit distribution.

Sub-threshold cash deposits made into multiple accounts that share common characteristics — same registered address, common signatories, related beneficial ownership, or repeated transfer activity post-deposit. Each individual account looks unremarkable; the network of accounts shows the underlying pattern. Detection rule: counterparty-graph aggregation of cash deposits across accounts linked by ownership or behavioural connection.

Cash deposits followed quickly by purchases of monetary instruments (cashier's cheques, bank cheques, money orders) — often in amounts just below reporting thresholds for the instrument purchase itself. The pattern converts cash to negotiable instruments without the audit trail that a single large cash deposit and instrument purchase would create. Detection rule: pairing of sub-threshold cash deposits with sub-threshold instrument purchases within short time windows.

The customer's declared business does not generate the volume or type of cash being deposited. A consulting firm depositing $50,000 weekly in cash is structurally inconsistent with the declared model; a retail business depositing only round-number sub-threshold amounts when peer businesses deposit irregular amounts at varying levels is similarly inconsistent. Detection rule: cash activity exceeding profile-derived expected ranges, particularly where the deviation involves structured amounts.

Threshold-based reporting (CTR in the US, equivalent regimes elsewhere) is the regulatory baseline, not the detection ceiling. The reports identify transactions that did hit the threshold; the structuring control is about identifying transactions that were designed not to hit the threshold.

Several structural limitations of threshold reporting:

• It captures successful activity, not evaded activity. A customer who structures $50,000 across six $9,000 deposits triggers no CTR filings. The legitimate cash activity of a peer customer triggers a CTR filing. The reporting actively inverts the desired detection priority unless paired with structuring monitoring.
• Aggregation rules vary by regulator and across institutions. Some regimes require aggregation across branches by customer per day; some do not. Where the aggregation rule is narrow, sub-threshold same-day multi-branch activity escapes both CTR filing and basic structuring detection.
• No automatic visibility across institutions. Structuring across two institutions — $9,500 deposited at Bank A, $9,500 at Bank B, same day — produces no single-institution alert. Detection requires industry-level patterns that no single firm can see directly.
• Threshold proximity is not the only signal. Structuring may use thresholds well below the CTR limit if the customer's normal pattern is very low cash activity. A customer who normally deposits $200 in cash and starts depositing $4,500 weekly is structuring relative to their own baseline, not relative to the CTR threshold.

Mature programmes use threshold reporting as one input among several, with behavioural monitoring and counterparty-graph analysis closing the structural gaps.

Six failure patterns recur in structuring inspection findings:

• Rules calibrated only to the headline threshold. Detection looks for deposits in the $9,000–$9,999 band and misses any pattern below it. Sophisticated structuring uses lower amounts (often $4,500–$7,500) specifically to defeat this rule.
• No aggregation across branches. Each branch sees its own deposits; the customer's same-day multi-branch activity is invisible to single-branch monitoring. Modern systems aggregate across the institution by customer; legacy systems often do not.
• No customer-baseline awareness. Rules apply absolute thresholds across the customer base. The customer whose own pattern shifts dramatically does not trip rules calibrated to absolute amounts.
• Branch staff under-trained on behavioural cues. Customer-initiated structuring requests (asking teller to break deposit into multiple smaller ones) are direct evidence but only get flagged where staff are trained to recognise and report them.
• Smurfing detection absent. The detection works at the single-customer level but does not aggregate by counterparty-graph connection. Coordinated smurfing across multiple accounts escapes detection entirely.
• No SAR follow-through. Structuring detected, alert generated, case opened, but no SAR filed because the case did not meet the firm's internal threshold for filing. Regulators inspect filing decisions; under-filing relative to detected activity is itself a finding.