Layering: How It Works, Red Flags, and How to Detect It

What is Layering?

Layering is the second of three stages in the money laundering process, in which a criminal moves illicit funds through a sequence of transactions designed to sever the audit trail connecting the money to its illegal origin. The three stages are placement (introducing dirty money into the financial system), layering (disguising the trail through transaction complexity), and integration (spending cleaned funds as apparent legitimate wealth).

Layering is the most technically complex stage for both the launderer and the investigator. The goal is distance: each transaction hop adds a layer of apparent legitimacy and makes tracing the original source progressively harder. Common techniques include rapid wire transfers across multiple jurisdictions, currency conversions, conversions between asset classes (cash to crypto, crypto to real estate, real estate back to cash), shell company chains, nominee directors, and the use of trade finance instruments to obscure fund flows. It frequently intersects with smurfing and structuring at the placement stage, and with trade-based money laundering as funds approach integration.

The FATF has identified layering as one of the most prevalent techniques in significant money laundering cases globally. The UN Office on Drugs and Crime estimated in 2011 that between $800 billion and $2 trillion is laundered annually, roughly 2-5% of global GDP. A substantial share of that moves through layering structures. The pattern appears across traditional banking, fintech platforms, and crypto exchanges, and its mechanics have remained broadly stable even as the specific tools have changed.

How does Layering work?

The mechanics follow a consistent logic even when the specific instruments vary. The launderer starts with funds already inside the financial system, placed there via cash deposits, money mule networks, or other methods, and then moves them repeatedly to create confusion about their origin.

A typical sequence:

1. Funds in a domestic bank account are wired to a foreign account at a low-disclosure jurisdiction institution.
2. That account converts the funds to a different currency and transfers to a second foreign institution.
3. The second institution purchases cryptocurrency and transfers to a self-hosted wallet.
4. The crypto is converted via a cryptocurrency mixer or through chain hopping to a different token type.
5. The converted crypto is sold at a separate exchange for fiat, deposited into a third-country account.
6. That account wires the funds back to the originating jurisdiction labeled as an "investment return" or "loan repayment."

Illustrative scenario: A drug trafficking network places $2 million in cash through a network of retail businesses. The proceeds are wired from a US business account to a Hong Kong shell company, converted to euros, wired to a Latvian bank, used to purchase bitcoin, converted through a mixer to Monero, reconverted to bitcoin, sold at a European exchange for euros, and finally wired to a Dubai holding company as an "investment return." By step six, the funds appear to originate from legitimate overseas investment. Each individual step is defensible in isolation; the chain is not.

Layering frequently combines with structuring to stay below reporting thresholds at each node, and it overlaps significantly with nested correspondent laundering when the scheme exploits correspondent banking relationships to move funds across borders with minimal documentation.

Red flags and indicators

Transaction-level signals

• Rapid sequential transfers with no business purpose, sometimes within minutes of receiving funds
• Multiple transactions just below reporting thresholds (structuring indicators)
• Currency conversion at a loss, immediately followed by re-conversion
• Wire transfers to high-risk jurisdictions within 48 hours of receiving funds
• Transactions that reverse: funds sent out return via a different route at near-identical value
• Round-dollar wires with no supporting invoice or commercial relationship

Account-level signals

• Account opened, used intensively for pass-through transfers, then dormant within 60-90 days
• No income source consistent with transaction volume
• Multiple accounts at the same institution all forwarding funds to a single final destination
• Negligible net balance change despite high gross transaction volume

Network-level signals

• Graph analysis reveals hub-and-spoke or chain structures across otherwise unrelated entities
• Same device ID linked to accounts at multiple institutions transacting with each other
• Shell company chains across three or more jurisdictions, each adding a single pass-through hop
• Funds entering crypto, converting to a privacy coin, then re-entering fiat through a separate exchange

Behavioral signals

• Customer cannot explain the business purpose of a wire when asked
• Customer asks whether a transaction will trigger a Suspicious Activity Report
• Sudden change in transaction behavior following a news event about law enforcement activity
• Transaction timing requested close of business on a Friday or before a public holiday

Notable real-world cases

Deutsche Bank mirror trading, FCA fine (2017). Deutsche Bank's Moscow and London branches facilitated the movement of approximately $10 billion out of Russia through a mirror trading operation. Clients purchased Russian securities in rubles through the Moscow office, while a related party simultaneously sold the same securities in London for dollars. The mechanics were a textbook layering sequence: each leg of the trade appeared legitimate, but together they converted rubles to dollars and moved the funds offshore. The FCA fined Deutsche Bank £163 million for serious AML control failures. The FCA final notice sets out the full pattern.

Wachovia / Sinaloa Cartel deferred prosecution (2010). US prosecutors found that $378 billion of drug money had moved through Wachovia's correspondent banking operation via Mexican casas de cambio between 2004 and 2007. Funds were layered through wire transfers and bulk cash shipments across multiple account hops before entering the US financial system. Wachovia paid $160 million to avoid prosecution. The case remains one of the largest AML enforcement actions in US banking history.

Danske Bank Estonia (2022). An estimated €200 billion in suspicious transactions moved through Danske Bank's Estonian branch between 2007 and 2015, primarily from Russia, Moldova, and Azerbaijan. The branch was used as a layering node: funds entered via shell companies, transferred across multiple internal accounts, and exited to Western European banks. In December 2022, Danske Bank pleaded guilty to fraud and agreed to pay $2 billion. The DOJ press release documents the layering mechanics in detail.

FATF typology guidance. The FATF's published Money Laundering and Terrorist Financing typologies document recurring layering patterns across sectors, including real estate, virtual assets, and trade finance, providing compliance teams with a practical reference for red-flag calibration.

How to detect Layering

Rule-based detection is the starting point. Velocity rules that trigger when an account sends more than a defined number of outbound wires within 24 hours, or when a debit is followed by a credit of identical value within two hours, catch the most common patterns. Threshold alerting for transactions just below regulatory reporting limits adds a structuring filter on top.

Behavioral analytics extends coverage meaningfully. By building a statistical baseline for each customer segment, the system flags accounts where current behavior sits well outside the expected range even when no individual transaction breaches a rule. An account that normally processes $5,000 per month and suddenly handles $500,000 in wire transfers in a week is anomalous relative to its peer group, regardless of whether any single transaction triggers an alert.

Graph-based network analysis is the most effective technique for multi-hop layering. When the same dollar value (or a consistent fraction of it) appears at node A, then B, then C within a compressed timeframe, graph traversal algorithms surface the chain even when the accounts appear unrelated in isolation. Community detection identifies clusters of accounts with no apparent commercial relationship that transact primarily with each other. This approach is particularly effective because layering networks, including money mule networks used to move funds across accounts, tend to reuse infrastructure across multiple schemes.

Cross-channel signal correlation ties together events from digital banking, branch activity, and correspondent flows. A branch cash deposit, an online wire, and a crypto purchase at three different institutions can form a coherent layering sequence when correlated by entity, timing, and amount.

Retroactive network analysis on SAR-linked accounts is a practical operational improvement: identifying one confirmed node in a layering chain frequently surfaces several adjacent ones.

Which regulations cover Layering

The Bank Secrecy Act (BSA, 31 U.S.C. § 5311 et seq.) requires US financial institutions to file Suspicious Activity Reports for transactions that appear to involve layering, and mandates AML programs capable of detecting it. FinCEN enforces the BSA and publishes typology-specific advisories that institutions are expected to incorporate into their monitoring programs.

The EU's 6th Anti-Money Laundering Directive (6AMLD, effective June 2021) criminalized layering as a standalone predicate offence and extended criminal liability to legal persons. Predecessor directives (4AMLD, 5AMLD) established the transaction monitoring and customer due diligence obligations that underpin detection.

The FATF 40 Recommendations, specifically Recommendations 10 (customer due diligence), 20 (reporting of suspicious transactions), and 29 (financial intelligence units), set the international standard. Jurisdictions are assessed against these recommendations in mutual evaluation rounds, and weak layering detection is a recurring finding in lower-rated countries.

In the UK, the Proceeds of Crime Act 2002 (POCA) criminalizes layering under sections 327-329 (the principal money laundering offences) and requires SAR submission via the National Crime Agency's UKFIU. The FCA's SYSC sourcebook requires firms to maintain systems capable of detecting suspicious activity, with layering explicitly in scope.

How FluxForce detects Layering

Aiden Flux, FluxForce's transaction monitoring agent, runs real-time behavioral analytics and velocity checks against every wire and payment event. When a multi-hop transfer pattern surfaces, Nova Sentinel runs network graph analysis across the connected accounts to map the full chain, not just the triggering transaction.

Both agents produce a complete evidence package for every alert: a transaction timeline, the network graph, and a draft SAR narrative ready for analyst review. We've seen compliance teams cut SAR drafting time from hours to minutes using this workflow. This adds a small amount of processing overhead per alert, but the accuracy gain and the reduction in false positives make it the right trade.

If you want to see how this works against a live layering scenario, request a demo.