What is a typology in AML?

The full answer

A typology in AML is a documented criminal technique. It describes how money gets placed, moved, and integrated into the legitimate financial system. FATF coined the term and has published typology reports since 1990. In practice, "typology" and "money laundering method" mean the same thing.

Typologies are distinct from red flags. A red flag is a single indicator: a customer paying in large-denomination cash, no invoice, no explanation. A typology combines multiple behaviors into a recognizable pattern. The structuring typology involves repeated deposits just below domestic reporting thresholds, often across multiple branches, sometimes coordinated across several account holders working in concert.

FATF publishes an annual Methods and Trends report covering current typologies across its 39 member jurisdictions. The Egmont Group publishes case-based typologies drawn from actual SAR investigations filed by its 166 member financial intelligence units. FinCEN issues advisories that serve as US-specific typology guidance: the 2022 advisory on real estate, the 2023 update on virtual asset mixers, the standing advisory on human trafficking proceeds.

The six typologies that appear most often in US regulatory findings:

1. Structuring: Deposits or withdrawals systematically sized to avoid Currency Transaction Report (CTR) thresholds. Federal law under 31 U.S.C. § 5324 makes structuring illegal regardless of whether the underlying funds are clean.
2. Shell company layering: Moving funds through a chain of corporate entities, typically across multiple jurisdictions, to break the audit trail between criminal proceeds and the final recipient.
3. Trade-based money laundering (TBML): Using import/export invoicing to disguise transfers as legitimate commercial payments, through over-invoicing, under-invoicing, or phantom shipments. FATF published a dedicated TBML report that most transaction monitoring teams now reference directly.
4. Mule account networks: Funds are received by recruited or compromised account holders, then forwarded onward, severing the direct link between origin and destination. Detection relies on network analysis and velocity rules.
5. Real estate layering: Illicit cash buys property; sale proceeds appear legitimate. FinCEN's Geographic Targeting Orders in New York, Miami, and Los Angeles explicitly address this typology.
6. Virtual asset typologies: Mixing services, chain-hopping, peer-to-peer exchange networks. FATF's 2023 update to Recommendation 15 guidance addresses these specifically.

These aren't exhaustive. Typologies evolve as criminals adapt to detection. Procurement fraud, cyber-enabled fraud proceeds, and environmental crime proceeds each have documented patterns in sector-specific FATF reports.

Why this matters

Typology coverage is a direct exam focus. OCC examiners, Fed examiners, and FDIC examiners evaluate whether a bank's transaction monitoring scenarios cover the typologies relevant to its specific business model, customer segments, and geographies. A retail bank with significant cash-intensive customers that doesn't monitor for structuring has a gap. A correspondent bank without TBML detection scenarios has a different one.

Beyond detection scenarios, typologies drive three things in a well-run compliance program.

First, SAR narrative quality. An analyst who cites a specific typology writes a stronger SAR than one who writes "customer made several cash deposits." FinCEN reviewers understand typology language. It helps them route the SAR to the right law enforcement unit. How FinCEN defines suspicious activity is intentionally broad; typologies give that definition operational meaning.

Second, customer risk rating calibration. Customers whose business models are associated with specific typologies should carry higher base risk scores: cash-intensive businesses for structuring, freight forwarders for TBML, money service businesses for layering. Enhanced due diligence processes work better when they're built around the relevant typologies rather than generic checklists.

Third, false positive reduction. Many banks generate tens of thousands of alerts monthly, most of which are false positives. Tighter typology-based detection logic, rather than broad threshold rules, reduces noise. Banks that replaced blanket velocity rules with structuring-pattern detection (look-back windows, branch dispersion analysis, account linkage) consistently see alert volumes drop 40-60% while SAR conversion rates improve.

AI-powered transaction monitoring is most effective when it's built around typologies rather than static thresholds. Models trained on labeled typology patterns generalize better than rules tuned to historical transaction amounts.

Trade-based money laundering is worth calling out separately. It's among the most under-detected typologies in the industry, partly because it requires cross-departmental visibility spanning trade finance, commercial banking, and compliance, and partly because invoice manipulation is hard to spot without reference data on fair market prices.

Mule account detection is another typology area where banks consistently underinvest. The pattern is well-documented. The detection tooling has improved significantly in the last few years, but adoption lags the threat.

Related questions

• What is trade-based money laundering?
• How do mule accounts get detected?
• What percentage of AML alerts are false positives?
• How does FinCEN define suspicious activity?
• Can AI be used for AML transaction monitoring?

Related concepts and regulations

• What is the difference between AML and CFT?
• What is the FATF Grey List?
• What is the difference between CDD and EDD?
• How often should customer risk ratings be refreshed?
• What is the FATF Travel Rule?