While money laundering can get caught in the act of placement or be prosecuted for its integration, the true test of money laundering comes in the form of layering. It is in this stage that money laundering succeeds or fails, and it is where most compliance programs fall short.
Layering, on the other hand, is a bit of a different story. By the time funds reach the layering stage, the money has already been introduced into the financial system. The only problem the launderer has left to solve is one of distance. This means that the launderer must create a sufficient number of transactions, as well as entities, jurisdictions, and time, between the money being cleaned and its original source. While the launderer is attempting to keep enough distance between the “legitimate” end of the transaction and the “dirty” origin, the true goal is to remove enough complexity from the transaction so as to destroy the audit trail. The tools available to the launderer for removing complexity from transactions have never been more varied, and more easily accessible.
Contrary to typical Anti-Money Laundering (AML) practices, detecting layering requires a completely different approach than monitoring single transactions or even analyzing all transactions of a single customer. A compliance team monitoring transactions on a country by country basis will easily be fooled by money launderers utilizing layering schemes who spread their transactions across different countries in order to conceal the flow of dirty money.
The following topics are going to be covered in this article:
- What Is Layering, and Why Is It the Hardest Stage to Detect?
- Common Layering Patterns.
- The Danske Bank Case
- Detection Signals for Layering
- The Network Analysis Imperative
- Crypto Layering
- The 'Information Gap' Problem
- Regulatory Expectations on Layering Detection
- Common Detection Failures
![]()
1. What Is Layering, and Why Is It the Hardest Stage to Detect?
Layering is a technique used in money laundering that involves the creation of a complex web of transactions to conceal the origin of illicit funds. This process includes moving the funds through multiple accounts and transactions, often in different jurisdictions, to make it difficult to trace the source of the funds. The use of shell companies, offshore accounts, and complex financial instruments is also common to achieve this purpose.
There is a distinction between the end of the placement and the beginning of the Integration stage of money laundering. In the middle, there is the so-called layering. This is where the real work of money laundering is done, i.e. a criminal, who already controls a foothold in the financial system, tries to make the origin of the funds as untraceable as possible before he ‘washes’ them and withdraws them into the legitimate economy.
The goal to obscure the origin of funds by creating transaction chains, entities and jurisdictions to hide from, is what makes layering so hard to detect. Placement activities often create a distinctive entry point into the financial system, cash deposits, cash intensive transactions, structured transactions or unusual account openings for instance. Integration activities on the other hand, create real and fictitious paper trails such as property titles, investment portfolios, business records and income statements. Layering activities on the other hand, will often create a lot of noise to the longer the transaction chain, the more entities and jurisdictions involved, in the end it may become impossible to even ask the question where the money came from in the first place.
The detection of layering is key to any effective AML program. If a program can detect layering then integration into the legitimate use of the financial system will never occur. On the other hand, if a program fails to detect layering then funds that have been laundered will emerge from the financial system clean.
2. Common Layering Patterns
Layering does not follow a fixed script. Even the most sophisticated schemes will employ a number of techniques simultaneously in parallel to create a complex transaction trail that no single party is able to follow in its entirety.
Some wire transfer chains are cross border and cross jurisdiction, they are rapidly moving and utilizing correspondent banking relationships and differences in speed of governance are exploited. The funds move through 3-5 accounts in 3-5 countries in a matter of hours and are tracked by manual review for only a short period of time.
Shell company circulation: Money is moved through a series of companies with no real economic activity and where the beneficial owner is not disclosed in every step by step.
Other forms of layering, for instance, FX conversion sequences, make use of money transfer via currency exchange in order to create a new transaction chain of transactions by means of intermediaries who split the transfer via different currencies.
Crypto bridge (or relay) layering: Bitcoin and other cryptocurrencies are converted to fiat money via so-called crypto bridge services, which transfer the funds between different blockchains and then convert them back to fiat money. Since cross-chain transfers are done in a way that does not leave a trace on the blockchain, this type of layering is monitored in more detail in the section on crypto transaction monitoring.
Trade-based money laundering: This is carried out by manipulating import and export documentation. This can involve over-invoicing or under-invoicing of goods, creating phantom shipments, or even multiple invoices for the same shipment. More information on this laundering method can be found in this article by Sanction Scanner.
Round-trip transactions: These are transactions where funds are leaving an account and then returning to the same account or even better to the same beneficial owner or legal entity through a number of intermediary accounts. There is no logical or economic reason for such transactions to occur, whereas there is a logical reason for money laundering.
Smurfing: This type of layering is created by a network of individuals (smurfs) who all together structure a large amount of money in a series of sub-threshold cash transactions, each below the reporting thresholds, through separate accounts or even individuals. All these cash transactions in isolation are not suspicious enough to generate an alert. However, the network as a whole forms a suspicious pattern that can be revealed by the monitoring system.
3. The Danske Bank Case Study
None has highlighted layering failures at an institutional scale more than the activities of the Estonian branch of Danske Bank. Between 2007 and 2015 some €200 billion were moved through the bank’s non-resident portfolio, primarily managed for customers from high-risk post-Soviet countries, including Russia.
Danske Estonia’s Non-Resident Portfolio consisted of customer accounts held in the names of UK limited liability partnerships and limited partnerships. These were ‘paper-shells’ with no genuine economic function, established solely to conceal the true beneficial owner. Funds were introduced into these accounts from Russia and other high-risk post-Soviet jurisdictions and then transferred through the correspondent banking relationships of major U.S. banks and dispersed to accounts around the world.
There were multiple failures that cumulatively caused the massive amount of suspicious activity to go undetected. Although a manual AML process was used at the Estonian branch, customers were misrepresented in their files, containing only a fraction of the information that was actually known about them by the relationship managers. In addition, several alerts were raised by internal audits, but were not followed up on by management. The major correspondents also did not have a complete view of all of the activity flowing through the bank’s various locations, they only saw their own portion of the transactions. In addition, the bank had assured the correspondents that activity was being monitored automatically when in reality it was being reviewed manually by the relationship managers in Estonia.
The end result was that the non-resident portfolio was generating in excess of 50% of profits from the Estonia branch of Danske Bank with the majority of the transactions going through the portfolio being found upon investigation by the regulators, whistleblowers and the US Department of Justice to be suspicious. The final penalties imposed would exceed $2 billion.
For detailed information of other major banking scandals, you can take a look at this article.
4. Detection Signals for Layering
This way of money laundering leaves some “footprints” which can be detected by appropriate systems only.
The Transaction Graph Analysis checks the counterparty network density of a customer. This means that it looks at the number of entities a customer is connected to and how these other entities are connected to each other. A very dense network or one that is rapidly increasing in size and including newly registered entities is indicative of a layering scheme using a constructed infrastructure to layer funds.
The velocity of money at the counterparty level, or how fast money moves through a particular node in a network. Legitimate business accounts typically have money coming in and going out, but over time the amount in the account will typically increase. Layering accounts are ‘through’ accounts, money comes in and goes out quickly with little time in between.
A round-trip indicator is also a key sign of layering. This is where money is moved into and out of an account or a number of accounts (directly or via a series of intermediaries) and returned to the original account or beneficial owner of the account. There is no valid commercial reason for money to be returned to the originator of funds on a consistent basis.
High-risk corridors: These are channels through which large amounts of money are moved through countries which have poor AML laws, are not transparent and are typically used for money laundering. This would typically include funds moving from one location to another through a variety of intermediaries, regardless of the stated reason for such transactions.
The biggest indicator of layering behavior is often the simplest to spot: Inconsistency with the stated purpose of the entity. For example, a consulting company with apparently no clients to pay; a trading company with transaction volume far in excess of any plausible legitimate business activity; an entity that was incorporated last month and is suddenly moving millions: These and similar behaviors are so far removed from normal business activity as to be obvious.
5. The Network Analysis Imperative
Transaction-level monitoring can detect transactions that are suspicious, customer-level monitoring can even detect customers who are suspicious, but no monitoring can detect layering.
Layering is a network phenomenon. A layering attack, by design, disperses evidence of suspicious behavior across several accounts, entities and even institutions. It is only by using entity resolution and graph-based monitoring of a full network of money transfers that the full extent of a behavior of interest can be detected as opposed to monitoring single nodes of a network to detect behavior of interest on a transaction by transaction basis.
This is the core limitation of rule-based, per-transaction monitoring: It was not designed for the problem it's being asked to solve. The Danske Bank case is partly a story about exactly this failure, no single institution saw enough of the transaction network to understand what was happening. Each saw a fragment; the full picture required assembling those fragments across institutions that weren’t sharing data.
On the other hand, a network-level approach, which can use account linking by means of entity resolution and behavior patterns, is the only way to discover layering.
6. Crypto Layering
Layering in the cryptocurrency space has given rise to a host of techniques that are not yet observable by traditional financial institution monitoring.
So how do people create layers of distance and obscurity in transactions? First, there are “bridge protocols” that allow assets to be moved from one blockchain to another, creating a huge gap in the on-chain trail. Next, people “DEX hop”, or trade on many different decentralized exchanges within the same blockchain, making the transactions very hard to follow within that one chain. Then there are privacy coins, like Monero, that are created to be completely opaque. After that, there are “mixers” and “tumblers” which combine money from many different sources and then disperses that money to a long list of “exit addresses”. These “exit addresses” are the only ones that can withdraw money, and since they were all created from different inputs, there is no way to follow the money back to the original source.
The underlying principle of these new cash flow manipulation methods is the same as for traditional cash layering: Creating distance and obscurity. However, there is a significant difference: Crypto cash flow manipulation is fast, inexpensive and does not require any financial institutions or corresponding infrastructure.
On-chain analytics have to be integrated into the transaction monitoring framework used by compliance departments and should not be treated as a separate function.
7. The 'Information Gap' Problem
Layering succeeds precisely because it exploits structural gaps in payment systems, across jurisdictions, between financial institutions, and within regulatory regimes. A wire payment routed through the correspondent accounts of three different banks in three countries in turn generates three partial views of that same transaction and each of these views is held by a different financial institution that has no obligation to and indeed no facility for sharing that information with the others.
Compliance teams are further operating in the dark, as they have to triangulate fragmented information in order to get a complete picture of a financial transaction. On the basis of the information that is available to them, they have to draw conclusions as to the network structure of a financial transaction. In addition, they have to make SAR filing decisions on the basis of their incomplete information.
This is not a problem for individual compliance programs. It is a structural property of global finance and thus a problem that effective layering detection has to recognize and work with. The specific challenges therefore are to set proper thresholds for a partly observed data set, to escalate rapidly on observation of high-risk corridor patterns, and to treat absence of information as a risk in itself.
8. Regulatory Expectations on Layering Detection
The various frameworks for transaction monitoring put into place by the regulators of individual jurisdictions have developed into increasingly detailed specifications for the detection of so-called layering patterns. A summary of the key frameworks is provided below.
|
Framework |
Key Requirement Relevant to Layering Detection |
|
FATF Rec. 10 |
CDD must include understanding of transaction purpose; anomalies inconsistent with stated business must trigger review |
|
FATF Rec. 20 |
Suspicious transaction reports (STRs) required when layering indicators are present, regardless of transaction size |
|
EU 6AMLD |
Expanded predicate offences; stricter cross-border cooperation; interconnected beneficial ownership registries |
|
FinCEN (U.S.) |
Cross-border monitoring expectations; AI-based risk assessment increasingly referenced in guidance; real-time monitoring emphasis |
|
UK NCA / SAR regime |
Consent SARs required when layering suspected; failure to report where red flags exist creates criminal liability |
Regulators continue to move in the direction of requiring financial institutions to ‘look beyond individual transactions’ and, more importantly, to ‘identify potential links between customers’. Moreover, financial institutions will need to ensure that the monitoring that they carry out is ‘proportional and adequate’ to the sophistication of layering techniques that are under their purview.
9. Common Detection Failures
The vast majority of undetected layering has already been characterized with relatively straightforward causes that can be addressed with the right combination of data, behavioral analysis, and transactional context.
The core error is treating every transaction in isolation. Layering is spread across transactions and therefore cannot be found by viewing each transaction one by one.
Missing connections between alerts for different customers means that while individual alerts may have been detected, smurfing networks, round-trip schemes involving multiple account holders, etc. remain undetected because they form a pattern that never gets resolved into a single picture. Alerts get filed away in silos for individual customers.
Lack of sufficient quality of counterparty data: Without sufficient information about the counterparty, compliance teams have no way of gauging the quality of the network their customers are conducting transactions in and therefore cannot make informed decisions.
Stale customer risk scores fail to capture behavioral changes over time. A customer who was on-boarded as low risk 2 years ago is likely to become a layering conduit today. Using static risk profiles to evaluate suspicious behavior is insufficient.
