Main/

The Money Laundering Kill-Chain: An Adversarial Model for AML/CFT

Table of Contents

Chapter 1: Introduction & Chapter Overview

Money laundering (ML) sits at the nexus of criminal enterprise and the legitimate financial world, exploiting regulatory blind spots, weak enforcement, and creative accounting maneuvers to conceal and move illicit funds. While the Placement–Layering–Integration (PLI) model has long dominated AML guidance—from major standards bodies like FATF to national regulations—contemporary laundering threats increasingly go beyond these three phases. AMLTRIX, an adversarial kill-chain framework, aims to fill these gaps by detailing eight distinct tactics criminals use, each with associated techniques and optional subtechniques.

1.1 Purpose and Goals

This chapter lays out why AMLTRIX departs from the traditional three-phase model, how it benefits from an offense-first perspective, and what to expect from an eight-tactic kill-chain. A high-level roadmap includes:

  1. The fundamental limitations of the PLI paradigm.
  2. The broader set of adversarial stages AMLTRIX identifies—encompassing early infiltration, ongoing operational secrecy, and post-integration asset management.
  3. How tactics, techniques, and subtechniques in AMLTRIX map to real-world ML scenarios.
  4. Potential industry critiques, including whether this expanded kill-chain is “too complex” or “beyond daily AML scope.”

Ultimately, this approach is not about replacing or negating the classic PLI steps; it is about unpacking each step to detail the sub-stages and adversarial maneuvers that criminals actually employ. AMLTRIX remains modular—institutions comfortable with the simpler PLI model can continue using it while selectively adopting the new kill-chain insights.

1.2 Context: AMLTRIX in Beta

As of its initial Beta release, AMLTRIX is an evolving knowledge graph designed to unify AML knowledge—spanning everything from high-level risk categories to granular adversarial techniques. By providing this expanded kill-chain methodology, AMLTRIX encourages feedback from:

  • Financial institutions (FIs) and vendors seeking advanced detection logic.
  • Regulators and oversight bodies wanting deeper visibility into new laundering tactics.
  • Academic and research communities offering further validation or alternative perspectives.

It is anticipated that some stages or tactics may be refined—or that certain sections (e.g., “Illicit Acquisition”) might be separated out if institutions find them less relevant for everyday AML operations. This open development approach welcomes suggestions and real-case validations.

1.3 Chapter Layout

  • Chapter 1 (this chapter): Introduces AMLTRIX’s kill-chain mindset, clarifies the purpose, scope, Beta status, and previews the entire content.
  • Chapter 2: Explores the rationale behind expanding beyond the Placement–Layering–Integration (PLI) model, highlighting its limitations and the benefits of an adversarial approach.
  • Chapter 3: Presents detailed explanations of each of AMLTRIX’s eight tactics, distinguishing them from the traditional three-phase model.
  • Chapter 4: Defines techniques and optional subtechniques within AMLTRIX, along with associated indicators (red flags).
  • Chapter 5: Positions typologies alongside the technique-based approach, explaining how they can coexist or be optionally integrated.
  • Chapter 6: Addresses contradictions and critiques the expanded kill-chain may face and provides potential resolutions.
  • Chapter 7: Concludes the Beta release by discussing future directions—feedback mechanisms, expansions, and deeper defensive mappings.

Back to Top

Chapter 2: Rationale for an Expanded Kill-Chain

The conventional money laundering storyline—Placement, Layering, Integration—offers a powerful simplification that has guided AML policy for decades. It helps novices grasp how criminals introduce illicit funds, obscure them, then blend them back into the legitimate economy. However, over the years, criminal networks have devised more sophisticated routes that don’t always fall neatly into these three boxes. Chapter 2 unpacks the core shortcomings of PLI as an explanatory or actionable model and explains why AMLTRIX adds extra tactics, providing a deeper view of how criminals adapt across the laundering lifecycle.

2.1 Shortcomings of the Three-Phase Model

2.1.1 Underestimating Preliminary Actions

In many real-world cases, criminals lay significant groundwork well before what is typically considered “placement.” For example:

  • Establishing infiltration channels (access facilitation) or forging relationships with complicit professionals.
  • Creating or purchasing shell companies (concealment structures) far in advance of receiving illicit funds.

The PLI lens might implicitly bundle these activities under “placement,” but doing so hides how criminals systematically prepare to circumvent or co-opt compliance checks. AMLTRIX addresses this by designating Access Facilitation and Concealment Mechanisms as separate tactics, giving institutions clearer vantage points to detect infiltration patterns or suspicious corporate formations.

2.1.2 Missing Cross-Cutting Operational Measures

Criminals do not wait until layering to secure themselves from detection; instead, they employ operational security measures (compartmentalized tasks, cunning transfer timing, rotating bank accounts) throughout all phases of laundering. The PLI approach lumps these maneuvers into a broad “layering” stage—or sometimes ignores them entirely. By contrast, Operational Evasion in AMLTRIX stands out as a cross-cutting tactic that criminals apply from the moment they decide to launder money until they finalize asset protection or further reinvestment.

2.1.3 Limited Post-Integration Nuance

“Integration” traditionally marks the “end” of laundering, where criminals merge funds into legitimate ventures. But in reality, criminals may:

  • Persistently re-layer or re-locate assets if threatened (re-laundering or re-placement).
  • Take steps to hide or “firewall” their wealth from legal confiscation, akin to advanced Asset Protection.

The three-phase model often overlooks these iterative or cyclical behaviors, leaving AML programs unprepared for criminals who continue to transform or reposition funds. AMLTRIX addresses this gap with an Asset Protection tactic that clarifies how launderers proactively shield wealth from future crackdowns.

2.2 Why an Adversarial Perspective?

2.2.1 Offense-First, Defense-Second

Traditional AML efforts often highlight compliance obligations—KYC, transaction monitoring, staff training—without systematically mapping the adversary’s approach to circumvent them. Adopting a perspective akin to MITRE ATT&CK® (from cybersecurity) ensures that each criminal tactic is matched with techniques that defenders can watch for or disrupt. It inverts the question from “How can we comply with regulations?” to “What are criminals doing, and how do we stop them?”

2.2.2 Granularity Leads to Better Countermeasures

By enumerating eight or more laundering tactics, it becomes possible to align mitigations—such as advanced beneficial ownership checks, infiltration detection, or specialized staff training—more precisely with the specific stage they target. A single “placement” bucket is too broad to design nuanced defenses. An adversarial kill-chain approach fosters clarity: each objective criminals pursue triggers distinct red flags, data sources, and detection logic.

2.3 AMLTRIX’s Eight Tactics: A Brief Recap

Illicit Acquisition

  • Aggregating or re-generating illicit capital from predicate offenses (fraud, corruption, narcotics).
  • Typically outside direct AML detection but relevant for partial signals or re-investment loops.

Concealment Mechanisms

  • Forming corporate or legal covers (shells, nominee directors, complex trusts).
  • Distinct from layering, as it focuses on building or deploying those covers well before large-scale transactions.

Operational Evasion

  • Continuous operational security: cunning scheduling, compartmentalized tasks, minimal footprints.
  • Cross-cuts all phases, ensuring criminals remain agile in response to potential detection.

Access Facilitation

  • Gaining entry points into the financial system, forging relationships with complicit intermediaries.
  • Precedes true “placement” by ensuring reliable deposit or transfer channels are in place.

Placement, Layering, Integration

  • Recognizable to mainstream AML, but with greater nuance under AMLTRIX (techniques are more granular, and ties to the other new tactics are highlighted).

Asset Protection

  • Securing laundered or partially laundered funds from confiscation or future detection (re-locating, re-laundering, or diversifying holdings for agility).

2.4 Balancing Simplicity vs. Detail

2.4.1 Is This Overkill?

Some institutions may worry that naming so many tactics complicates staff training or confuses existing systems that revolve around PLI. AMLTRIX anticipates these concerns and offers a modular approach:

  • It remains entirely feasible to continue referencing “placement, layering, integration” at a high level.
  • Meanwhile, advanced investigative teams or special units can track events such as “access facilitation” or “operational evasion” in more detail to refine detection triggers or forensic analyses.

2.4.2 Beta Status and Community Feedback

Because AMLTRIX is in an early release phase, adjustments remain on the table. If the industry finds certain tactics (e.g., “Illicit Acquisition”) unhelpful, they can be downplayed—or replaced with more direct references to recognized red flags. Conversely, if feedback suggests merging “Asset Protection” back into “Integration,” that too could evolve. The goal is to surface all steps criminals actually perform, then refine or re-label as best suits institutional practice.

2.5 Implications for AML Programs

  1. Enhanced Coverage: By expanding beyond PLI, compliance teams can identify infiltration (Access Facilitation) or suspicious corporate setups (Concealment Mechanisms) that might otherwise pass under the radar.
  2. Adaptive Monitoring: Operational Evasion as a recognized stage encourages continuous pattern tracking (e.g., unusual shifting of funds, ephemeral accounts).
  3. Forward-Looking: Asset Protection underscores that criminals remain active after so-called “integration,” prompting ongoing vigilance rather than a one-time check.

2.6 Conclusion & Preview of Next Steps

The impetus for a kill-chain approach in AMLTRIX stems from real-world complexity. Laundering is seldom linear or limited to three tidy phases; criminals meticulously plan infiltration, hide behind complex entities, continuously evade detection, and adapt liquidity or ownership structures to remain safe. By enumerating these hidden or ancillary steps, AMLTRIX aligns defense strategies more closely with adversarial reality.

  • Chapter 3 will describe each of the eight tactics in more detail—complete with examples, typical red flags, and suggestions for detection logic.
  • Chapter 4 moves into techniques and subtechniques, showing how criminals operationalize each tactic.
  • Later sections address how these adversarial building blocks link to data sources, risk types, mitigations, and how they might interoperate with more traditional AML typologies.

By adopting this expanded kill-chain, practitioners can preempt infiltration, track day-to-day evasions, and hamper criminals’ attempts to secure their gains over the long run. This adversarial vantage point offers an actionable alternative (or supplement) to the standard PLI matrix, one that invites continuous evolution through industry engagement and real-world testing.

Back to Top

Chapter 3: Detailed Kill-Chain Tactics

Following the rationale for why AMLTRIX expands beyond the three-phase (placement–layering–integration) model, this chapter explores each of the eight kill-chain tactics in detail:

  1. Illicit Acquisition
  2. Concealment Mechanisms
  3. Operational Evasion
  4. Access Facilitation
  5. Placement
  6. Layering
  7. Integration
  8. Asset Protection

These tactics outline the adversarial objectives launderers pursue—from generating criminal proceeds to safeguarding them after partial or full integration. Unlike the standard three-step view, AMLTRIX breaks down each sub-stage criminals traverse—shedding light on infiltration, deception, real-time stealth, and post-integration security.

3.1 Illicit Acquisition

Definition

Criminals generate or accumulate funds via predicate offenses (e.g., fraud, cybercrime, corruption, drug trafficking). Often, they reinvest these proceeds to sustain or expand criminal operations, perpetuating an ongoing cycle of illicit gain and laundering.

Key Points

  • Upstream Insight: Though many financial institutions (FIs) do not directly detect the predicate crime, anomalies or red flags (e.g., suspicious e-commerce activity) can hint at unlawful sources.
  • Reinvestment Loop: Funds can loop back into new or existing criminal ventures, quickly generating fresh suspicious capital.
  • Reductionist: Rather than enumerating every possible offense, AMLTRIX lumps all predicates under “Illicit Acquisition,” acknowledging that real-world usage might demand deeper offense-specific models or kill-chains.

3.2 Concealment Mechanisms

Definition

Criminals build or use corporate, legal, or organizational structures—shell companies, nominee layers, complex trusts—to camouflage the true origin and ownership of illegal wealth. These “facades” may be in place long before major transactions occur.

Key Points

  • Preparing the Ground: Setting up these entities can precede the actual movement of criminal proceeds.
  • Distinct from Layering: Concealment focuses on forging organizational cover rather than multi-step financial transfers.
  • Detection Approach: Watch for questionable beneficial ownership disclosures, suspiciously intricate corporate forms, or unexplained nominee relationships.

3.3 Operational Evasion

Definition

An ongoing tactic where criminals deploy operational security measures to remain undetected—such as compartmentalizing tasks, rotating channels or accounts, adjusting timing, and monitoring investigative pressure in real time.

Key Points

  • Cross-Cutting: Operational evasion extends across all laundering phases, not isolated to any single step.
  • Stealth Patterns: Criminals typically avoid abrupt, conspicuous flows; they break transactions into multiple small moves, adapt swiftly if they sense scrutiny, or distribute knowledge among co-conspirators.
  • Monitor Behavioral Anomalies: Frequent account closures, ephemeral e-wallet usage, or suspiciously well-timed transactions can be key signs.

3.4 Access Facilitation

Definition

Before injecting large sums into the financial system, criminals ensure entry points are established. They might cultivate relationships with complicit service providers, find under-regulated corridors, or misrepresent business activities to secure accounts or partnerships that raise minimal red flags.

Key Points

  • Precedes “Placement”: Deals with infiltration and ensuring future funds face fewer barriers.
  • Focus: Involves unscrupulous intermediaries, shell banks, or lightly policed fintech channels.
  • Detection: Institutions can look for odd new-account openings, suspicious onboarding processes, or weakly verified beneficial owners.

3.5 Placement

Definition

“Placement” is the traditional first juncture where illicit proceeds become merged with legitimate systems, typically by depositing or introducing them in a way that masks their direct criminal origin.

Key Points

  • Classic AML Phase: Here is where abrupt cash flows, structured deposits, or funnel accounts often surface.
  • Vulnerability: Large or unusual deposits may draw immediate scrutiny, making it a high-risk stage for criminals.
  • Defenses: Monitoring atypical deposit patterns or cross-checking transaction volumes can identify suspicious inflows.

3.6 Layering

Definition

Criminals execute multiple complex transactions—wire transfers, exchanges, currency conversions, trade-based maneuvers—to sever the asset’s link to its criminal source.

Key Points

  • Obfuscation: Repeated layering moves hide the audit trail behind multiple accounts, entities, and jurisdictions.
  • Common Tactics: Chain-hopping in crypto, rapid transfers among shell companies, or trade misinvoicing.
  • Detection: Following the money becomes challenging; advanced transaction monitoring and cross-border data sharing can help reveal the layered patterns.

3.7 Integration

Definition

Having obscured their origin, criminals now legitimize illicit funds by merging them into legitimate business, property, or financial instruments. Post-integration, the money appears fully lawful and usable without raising suspicion.

Key Points

  • Traditional Final Phase: In classic AML, integration is often considered the end of laundering.
  • Implementation: Investment in real estate, legitimate enterprises, or financial portfolios that camouflage the proceeds within routine economic activity.
  • Open-Ended: AMLTRIX acknowledges criminals may keep layering or re-laundering if risk intensifies.

3.8 Asset Protection

Definition

Beyond integration, criminals continually shield laundered wealth from law enforcement or seizure—through dispersion, rapid liquidation, or offshore repositioning. This ensures criminals can swiftly move or reconvert holdings if threatened.

Key Points

  • Long-Term Security: Criminals stay alert, rotating funds across different jurisdictions and financial instruments.
  • Combating Enforcement: Tactics include frequent re-titling of assets, cross-border hops to avoid freeze orders, or layering inside “friendly” legal environments.
  • Detection: Patterns of repeated asset flight or suspicious re-allocation can reveal this post-integration tactic.

3.9 Relationship to Sanctions Evasion, Terrorist Financing, and Proliferation Financing

While some AMLTRIX tactics or techniques (e.g., shell entities, layering, operational security) can also appear in sanctions evasion, terrorist financing (TF), or proliferation financing (PF), the eight-stage kill-chain is fundamentally oriented toward laundering criminally derived proceeds. Other financial crime domains:

  • Different Goals: Sanctions evasion focuses on bypassing legal restrictions (not necessarily laundering illicit wealth); TF might involve legitimate donations funding terror, rather than hiding criminal proceeds; PF seeks to acquire or move restricted materials/technology.
  • Not Entirely Aligned: AMLTRIX’s premise—concealing the illicit origin of funds—does not fully capture the motivations or typical flows in sanctions, TF, or PF.

Future Directions

Dedicated threat matrices for terrorist or proliferation financing may be developed depending on industry feedback and involvement. The current Beta release remains specifically focused on money laundering. As these adjacent threats often share some stealth or layering tactics, future AMLTRIX extensions could adapt or expand the kill-chain logic to better reflect unique patterns of TF, PF, or sanctions violations.

3.10 Conclusion & Next Steps

By delineating eight tactics—covering everything from Illicit Acquisition of criminal funds to post-integration Asset Protection—AMLTRIX provides a more granular map of laundering than the classic three-step approach. Crucially, it emphasizes:

  • Pre-transaction infiltration (Access Facilitation)
  • Continuous stealth across all phases (Operational Evasion)
  • Foundational corporate subterfuge (Concealment Mechanisms)
  • Long-term safeguarding after partial or full integration (Asset Protection)

Though certain tactics partly overlap with other financial crime areas (sanctions, TF, PF), AMLTRIX’s kill-chain is dedicated to money laundering from criminal proceeds. In the upcoming chapters, techniques and subtechniques underlying each tactic will be discussed, illustrating how criminals enact these stages and offering insight for AML defenders seeking to disrupt each phase in practice.

Back to Top

Chapter 4: Techniques, Subtechniques & Indicators

In AMLTRIX, techniques are the practical methods criminals use to implement each tactic (adversarial objective) in the kill-chain (e.g., “Placement,” “Concealment Mechanisms”). By cataloging these methods at a mid-level of abstraction, AML/CFT teams can map real-world laundering scenarios to structured knowledge in a consistent, machine-readable way.

4.1 Techniques: Linking the “Why” to the “How”

4.1.1 Defining a Technique

A technique captures a specific way launderers achieve one or more adversarial tactics. For example:

  • Under “Access Facilitation”: “Cultivating relationships with unscrupulous MSBs.”
  • Under “Concealment Mechanisms”: “Forming multi-layered offshore structures in secrecy jurisdictions.”
  • Under “Placement”: “Splitting large sums into multiple small deposits (structuring).”

This mid-level approach is:

  • Granular enough to inform detection and mitigation (each technique may have unique red flags).
  • Broad enough that multiple real-life cases (from different countries or business sectors) can match the same technique category.

4.1.2 Mapping a Technique to Tactics

A single laundering method might be primarily aimed at achieving one tactic (e.g., “concealment”), but in many real scenarios, criminals reuse that method in other tactics as well (e.g., layering). AMLTRIX guidance:

  1. One Main Tactic

    • For most techniques, a primary or dominant tactic is designated (the stage where that method is most critical).
    • This preserves clarity in the kill-chain, preventing “everything from mapping to everything.”

  2. Multi-Tactic Linkages (If Equally Relevant)

    • If a technique genuinely fulfills two or more tactics with near-equal emphasis, AMLTRIX allows linking it to multiple tactics.
    • This option should be used selectively, because it can create duplication or confusion if done too liberally. Multi-tactic mapping is recommended only when the technique’s contribution to each tactic is distinct and operationally relevant.

In other words, one technique can reference one or several tactics, but in most cases, a single main tactic suffices—unless a clear need arises to show the technique’s major role in multiple stages.

4.2 Subtechniques: Refining or Specializing a Technique

4.2.1 When to Introduce Subtechniques

Subtechniques are optional, used only when distinguishing different variants of the same method adds practical value. For instance, “Use of Shell Companies” might split into:

  1. “Offshore Shell Entity” (registered in high-secrecy havens)
  2. “Domestic Shelf Company” (repurposed entity pre-existing in the same jurisdiction)

Both revolve around “shell companies,” but each subtechnique involves distinct red flags, compliance checks, or vulnerabilities.

4.2.2 Avoiding Unnecessary Complexity

In practice, organizations might not need separate “Domestic Shelf” vs. “Offshore Shell” definitions if compliance oversight lumps them together. AMLTRIX therefore remains modular—subtechniques should be created only if the distinctions enhance detection or risk management.

4.3 Indicators: Observable Signs of a Technique

4.3.1 What Indicators Are

Within AMLTRIX, indicators (often called “risk indicators” or “red flags”) are observable signs suggesting a particular technique may be in play. For example:

  • Technique: “Misuse of multiple MSBs for layering”
  • Indicator: “Customer sends an unusual volume of small transfers from different MSBs within short intervals, lacking an economic rationale.”

Indicators typically describe suspicious patterns or anomalies that an obliged entity could notice in transaction logs, KYC data, or external reference checks. AMLTRIX lists indicators under each technique to help compliance teams craft targeted detection logic.

4.3.2 Different from Threat Warnings or Risk Events

  • Threat Warnings: Specific alerts from authorities about a real-time or near-future risk (e.g., “A certain non-EU shell network is known to funnel criminal assets”).
  • Risk Events: Real-time triggers in a compliance system (e.g., “Account X attempts a wire to blacklisted Entity Y—block or escalate!”)

By contrast, indicators are generalizable pointers that a technique might be active. They are one component in an institution’s overall risk detection but are not themselves direct “threat warnings” or “event triggers.”

4.3.3 Implementation in AML Systems

Because indicators line up with techniques, a bank or fintech could integrate these red flags into transaction monitoring or KYC processes. For instance, a compliance engine might generate an internal “risk event” whenever it observes multiple sub-threshold deposits described by a “structuring” indicator, prompting closer review or possible suspicious activity filing.

4.4 Illustrative Examples

Below are a few hypothetical example techniques (with possible subtechniques and indicators):

  1. Technique: “Frequent Account Switching” (Under Tactic: Operational Evasion)

    • Subtechniques:
      1. “Rotating e-wallets monthly”
      2. “Opening caretaker accounts via proxies and closing them after a single large transfer”
    • Indicators:
      • Account consistently shut down after inbound transfers.
      • Minimal or no legitimate transaction history preceding closure.

  2. Technique: “Multiple Structured Deposits via Branches” (Under Tactic: Placement)

    • Indicators:
      • Customer visits 3+ branches in one day, each deposit under a known regulatory threshold (e.g., $10k).
      • No consistent narrative explaining the deposit sources or business activity.

  3. Technique: “Use of Nominee Directors in Offshore Shell Entities” (Under Tactic: Concealment Mechanisms)

    • Subtechniques:
      1. “Professional nominees offering ‘director-for-hire’ services in secrecy havens”
      2. “Reusing the same nominee across multiple unrelated companies”
    • Indicators:
      • Customer or beneficial owners appear on multiple shell entities with identical addresses.
      • Corporate structures feature suspicious nominee patterns with minimal legitimate business.

4.5 Warnings, Risk Notifications, & Events: Not in AMLTRIX’s Scope

4.5.1 Why They Differ from Indicators

  • Threat Warnings or Risk Notifications (as described in some regulatory frameworks) are specifically-targeted announcements from an authority to an obliged entity, highlighting a particular or ongoing threat.
  • Risk Events are real-time triggers or escalations inside an institution’s compliance system.

AMLTRIX enumerates techniques and their indicators—general “red flags” or suspicious patterns. It does not manage or define official threat warnings, risk notifications, or direct “stop/go” messages from regulators. Instead, it provides a knowledge base that institutions can use to build those more immediate warning mechanisms if desired.

4.5.2 Indicator vs. Threat Warning

An indicator might say: “Multiple ephemeral e-wallet accounts opened sequentially, each used for one cross-border transaction,” signifying a possible operational evasion technique.
A threat warning from a regulator would say: “Group X is funneling illicit funds through ephemeral e-wallet providers in your region—cease or block activity.”
The first is a pattern tied to a general technique; the second is a case-specific or real-time alert from public authorities.

4.6 The Role of Techniques in AMLTRIX

4.6.1 Bridging Tactics & Practice

Techniques translate the why (tactic) into the how (method). By tagging each technique with relevant indicators, AMLTRIX fosters:

  • Operational Relevance: Each stage (tactic) now has tangible detection points.
  • Consistency: Institutions can reference the same set of techniques across different internal systems or training modules, unifying AML efforts.

4.6.2 Subtechniques for Depth

Where an institution needs deeper or more specialized detection logic—perhaps different red flags for “offshore shell” vs. “domestic shelf” usage—subtechniques deliver that extra nuance without complicating the entire knowledge graph.

4.7 Conclusion

Techniques (and optional subtechniques) form the methodological core for describing criminals’ actual behaviors in AMLTRIX. Each technique typically aligns with one primary tactic, though it may occasionally map to multiple if the method truly serves multiple stages in a significant way.

Crucially, indicators accompany each technique in AMLTRIX, providing high-level suspicious patterns or red flags. Chapter 5 discusses how these “building blocks” intersect with broader typologies, which are scenario-based groupings that many regulators and AML professionals use in day-to-day compliance.

Back to Top

Chapter 5: Positioning Typologies within AMLTRIX

Note: AMLTRIX does not currently define typologies as a formal object or mandatory data structure. This chapter outlines how institutions may incorporate scenario-based groupings (often called “typologies”) into their AMLTRIX usage, but doing so is purely optional and not part of the core Beta release.

5.1 Ambiguity & Multiple Definitions of “Typology”

In many AML contexts, a “typology” describes a broad scenario or pattern of laundering activities (e.g., trade-based money laundering, real estate laundering). However, the term “typology” lacks a single, consistent definition across the industry:

  • Regulators (e.g., FATF) may present typologies as real-world examples or aggregated patterns, often tied to specific risk indicators or case studies.
  • Some institutions or publishers avoid the term entirely, opting to talk about red flags, risk indicators, or simply “common laundering scenarios.”
  • Variations: One typology might be as simple as “cryptocurrency-based ML,” while another covers entire multi-stage processes (e.g., trade-based ML with multiple steps).

As a result, while the concept of typologies is widespread, the exact meaning can vary significantly. Some typologies are highly granular, detailing each laundering step; others remain generic, focusing on broad risk themes.

5.2 Suggested (Optional) Interpretation

Because AMLTRIX is a flexible framework organized around tactics and techniques, institutions or regulators may choose to create “typologies” that link multiple AMLTRIX components into scenario-based narratives. This is not an official or required part of AMLTRIX; it is an optional approach that can align with certain regulatory, training, or investigative preferences.

5.2.1 Technique-Focused with Optional Scenario Groupings

AMLTRIX primarily catalogs techniques (the “how”) mapped to tactics (the “why”). If an institution wishes to incorporate typologies, it can treat them as scenario-level groupings, each pulling in multiple tactics and techniques under a single theme. For example, “Trade-Based ML (TBML)” might encompass:

  • Access Facilitation: forging relationships with exporters/importers.
  • Concealment Mechanisms: creating overseas shell shipping firms.
  • Layering: misinvoicing or phantom shipments.
  • Operational Evasion: avoiding scrutiny by timing shipments during local holidays.

If desired, these pieces can be grouped into a single “TBML scenario.” This grouping would reference relevant AMLTRIX techniques; it does not change the underlying AMLTRIX kill-chain, which remains tactic- and technique-driven.

5.2.2 Why Keep Typologies Fully Optional

Because industry definitions of typology differ widely, AMLTRIX does not enforce a canonical “typology node” or treat typologies as built-in objects. Some institutions or solution providers may find scenario-based groupings beneficial for:

  • Staff training (using real-world examples).
  • Regulatory alignment (matching FATF typology publications).
  • Case analysis (assembling multiple techniques under a common narrative).

Others may see no need for a separate typology layer and prefer to focus purely on the tactics-and-techniques structure. Both approaches remain valid under AMLTRIX.

5.3 Advantages & Drawbacks of a Typology Layer

  1. Advantages

    • Scenario Narrative: Staff training often benefits from scenario-based learning. Summarizing multiple tactics/techniques under a named scenario can demonstrate how criminals progress from infiltration to asset protection.
    • Regulatory Familiarity: Many national FIUs or bodies like FATF regularly publish “typology reports.” Integrating a typology layer may help institutions stay aligned with these external guidelines or common AML language.

  2. Drawbacks

    • Ambiguity: Without uniform definitions, typologies may overlap or conflict. One jurisdiction’s concept of “trade-based ML” might differ from another’s, leading to confusion.
    • Redundancy: Some typologies duplicate the technique structure without adding unique insight—especially if the scenario is too broad or lacks clear red-flag indicators.

5.4 Practical Steps (If an Institution Chooses Typologies)

  1. Create a Scenario-Based Grouping: An institution may define a conceptual “typology grouping” for each broad laundering scenario it deems relevant (e.g., “Real Estate Laundering,” “Human Trafficking Proceeds”).
  2. Link to AMLTRIX Techniques: Each scenario or “typology” can reference the specific techniques that criminals commonly employ within that scenario (e.g., structuring, complex layering, use of shell companies).
  3. Attach Additional Context: Regulatory red flags, case studies, or specialized investigative tips can be appended to these groupings for training and analysis.

Again, these steps are optional; AMLTRIX does not require or standardize them in its Beta release.

5.5 Differentiating from Indicators & Risk Notifications

As described in Chapter 4, AMLTRIX focuses on techniques and their associated indicators to help recognize suspicious patterns. By contrast, a typology approach is primarily a scenario-building exercise—tying multiple indicators and tactics together under one thematic umbrella. Risk notifications or threat warnings still remain outside AMLTRIX’s core scope, since they typically involve real-time alerts or targeted notices from authorities.

5.6 Reconciling AMLTRIX with Regulatory Typology Reports

When national or international bodies (e.g., FATF) release new typology reports:

  1. Identify whether new or existing AMLTRIX techniques align with the emerging typology details.
  2. Consider creating or updating a scenario-based grouping (if that helps internal processes or training).
  3. Incorporate official red flags or risk indicators from the typology report into the relevant AMLTRIX techniques.

This approach can help institutions maintain consistency between widely recognized typology reports and the AMLTRIX adversarial model, while still preserving the tactic–technique structure at the framework’s core.

5.7 Conclusion

Typologies, defined here as scenario-based groupings of laundering methods, are not a formal or mandatory component of AMLTRIX in its current Beta phase. Rather, they offer an optional overlay to organize tactics and techniques into contextual narratives. Some institutions may find this approach valuable for training, regulatory alignment, or thematic analysis, while others prefer to work solely at the tactic–technique level.

By presenting typologies as an optional extension, AMLTRIX keeps its fundamental design straightforward, focusing on the eight-tactic kill-chain, techniques, and indicators. Practitioners can adopt a scenario-based perspective if it serves their needs, or ignore typologies entirely without any loss of functionality. Over time, if user demand supports further development of a typology data model, AMLTRIX may evolve to include more formal structures for scenario-level grouping.

Back to Top

Chapter 6: Possible Contradictions & Critiques from the Industry

Adopting an eight-stage kill-chain for money laundering—coupled with a techniques-and-indicators approach—naturally raises questions from institutions and regulators accustomed to the simpler, three-phase (Placement–Layering–Integration) model. This chapter summarizes the most common concerns and how AMLTRIX might address them.

6.1 Complexity vs. Utility

Challenge

Some practitioners argue that an eight-stage kill-chain, plus optional subtechniques and a robust set of indicators, is “too detailed” for everyday compliance. The traditional three-phase approach (PLI) is easier to communicate and implement at scale.

Response

  • Modular Adoption: AMLTRIX is built to be selective. Institutions can keep referencing the simpler PLI cycle and incorporate new stages (e.g., “Access Facilitation,” “Operational Evasion,” “Asset Protection”) only if they see real benefits in that specificity.
  • Enhanced Detection: Where criminals exploit infiltration or advanced layering tactics, the extra detail can yield more targeted detection rules. Over time, advanced compliance teams often find that a granular approach reveals hidden risks missed by broad-brush models.

6.2 Overlap with Existing Guidance

Issue

Many established frameworks (FATF, Wolfsberg, national regulators) do not explicitly define tactics like “Operational Evasion” or “Access Facilitation.” Institutions worry that aligning with AMLTRIX might cause conflict or confusion when reconciling with official guidance.

Response

  • Beta Phase & Feedback: AMLTRIX is an open-source knowledge graph in Beta, actively seeking user input. New categories—like “Operational Evasion”—can evolve in name, scope, or consolidation based on real-world usage and comfort levels.
  • Complementary, Not Conflicting: AMLTRIX does not invalidate older frameworks; it dissects them for deeper nuance. Institutions can map AMLTRIX’s eight tactics to the Placement–Layering–Integration lens without rejecting official categories. Overlaps might exist, but they aim to enrich, rather than replace, recognized guidance.

6.3 “Illicit Acquisition” Scope

Issue

Predicate offenses are commonly considered beyond the direct coverage scope for financial institutions (FIs), whose compliance obligations usually begin at “placement.” Some practitioners worry that referencing “Illicit Acquisition” might push institutions to investigate crimes themselves—a function outside typical AML processes.

Response

  • Single Stage for All Predicates: AMLTRIX lumps the entire domain of predicate offenses under one heading (“Illicit Acquisition”). This is a deliberately broad, reductionist approach—there is no expectation that institutions will unearth every detail of the underlying crime.
  • Partial Indicators: Sometimes an institution may observe hints (e.g., corruption signals, e-commerce fraud patterns). Acknowledging “Illicit Acquisition” helps incorporate these partial indicators into broader AML detection, without implying responsibility for investigating the full offense.
  • Optional or Removable: If a given stage is deemed unhelpful, it can be minimized or omitted in practice, focusing instead on the directly observable laundering steps.

6.4 Implementation Challenges

Issue

Implementing AMLTRIX’s kill-chain and technique-based approach in real-time transaction monitoring or KYC processes may seem resource-intensive—each new tactic or subtechnique could require specialized logic or advanced system modifications.

Response

  • Knowledge Graph, Not Mandated Real-Time Coverage: AMLTRIX is primarily a reference or ontology of adversarial knowledge. It does not require institutions to build real-time alerts for all tactics. Instead, it provides a structured vantage point to refine or expand systems when beneficial.
  • Gradual Integration: An institution might start by mapping a few high-priority techniques (e.g., trade-based layering) to existing detection rules, then expand over time. This incremental approach reduces the immediate burden while allowing value to be demonstrated progressively.

Back to Top

Chapter 7: Conclusion & Future Directions

As the Beta version of AMLTRIX reaches wider circulation, community feedback will guide how this eight-stage kill-chain—and its associated techniques, subtechniques, and indicators—adapts to diverse AML realities. This chapter outlines how AMLTRIX remains open to ongoing improvements and how it can eventually expand into deeper defensive measures or specialized predicate crime models.

7.1 Beta Status & Solicitation of Feedback

7.1.1 Why Beta Matters

AMLTRIX is currently in Beta, meaning its kill-chain structure, definitions, and recommended usage are still evolving. All stakeholders—banks, fintech companies, regulators, academic researchers, and solution vendors—are encouraged to:

  • Test the eight-tactic framework against real operational data or existing typologies.
  • Identify potential overlaps, missing tactics, or ambiguous categories.
  • Suggest new techniques, subtechniques, or clarifying indicators if criminal behavior is not adequately covered.

7.1.2 Path to Maturity

As feedback accumulates, AMLTRIX may evolve through:

  • Term refinements: For example, “Operational Evasion” or “Asset Protection” may require renaming or broader definitions.
  • Structural adjustments: Merging or splitting certain tactics, or reconfiguring the approach to “Illicit Acquisition” depending on usage.
  • Indicator expansions: Integrating new insights or risk patterns from actual investigations.

7.2 Defensive Extensions: Mapping Mitigations & Controls

7.2.1 Linking the Adversarial Model to Defenses

A natural next phase of AMLTRIX is to detail how each tactic and technique can be detected or disrupted—ranging from advanced data analytics to enhanced due diligence. Similar to the MITRE ATT&CK model in cybersecurity, AMLTRIX may:

  1. Map each technique (e.g., “Smurfing deposits,” “Offshore nominee layering”) to corresponding controls (e.g., real-time threshold alerts, beneficial ownership checks).
  2. Contextualize those controls within the broader kill-chain (e.g., which defenses work best at the “access facilitation” vs. “asset protection” stages).

7.2.2 Possible Implementation

  • CDD & KYC: Mapped specifically to tactics like Access Facilitation or Concealment Mechanisms.
  • Transaction Monitoring: Most applicable to Placement and Layering stages.
  • Internal Controls & Governance: Relevant to Operational Evasion, ensuring agile and continuous defense against evasive laundering strategies.

As community feedback develops, these mappings will be refined to offer a direct bridge between the adversarial kill-chain and operational defense tools.

7.3 Future Refinements & Specialized Kill-Chains

  1. Sub-Typology Drill-Down

    • Institutions with high-risk exposure (e.g., trade finance, e-commerce) might benefit from sub-typologies or micro kill-chains (e.g., “Advanced TBML” scenarios).
    • Similarly, Illicit Acquisition could eventually split into detailed kill-chains tied to specific predicate offenses (e.g., fraud, human trafficking, cybercrime).

  2. Enhanced Detection Logic

    • Potential to formalize detection logic or pattern-based rules for each technique.
    • Example: “If X sub-threshold deposits occur from Y accounts in <Z hours and show no matching invoice data, suspect ‘Smurfing’.”

  3. Integration with Other Domains

    • While AMLTRIX is centered on laundering of criminal proceeds, several techniques overlap with sanctions evasion, terrorist financing (TF), or proliferation financing (PF).
    • In the future, dedicated threat matrices may be created for these domains, contingent on demand and feedback from practitioners.

7.4 Key Takeaway

By presenting an eight-tactic kill-chain—enriched with techniques, subtechniques, and indicators—AMLTRIX offers a flexible yet structured perspective for addressing modern laundering threats. While debates may arise (e.g., “Is eight steps too many?” or “Is ‘Illicit Acquisition’ necessary?”), the core value lies in framing laundering as a series of observable, adversarial actions.

The ultimate goals are to:

  • Refine defensive controls in a step-by-step manner, from infiltration through asset protection.
  • Adapt or expand specific definitions based on real-world feedback and emerging laundering methods.
  • Facilitate shared vocabulary and structured threat knowledge across institutions, regulators, and investigative partners.

As AMLTRIX transitions beyond Beta, its evolution will continue to be driven by open collaboration and real-world validation—ensuring its relevance, clarity, and utility in confronting complex financial crime.

Back to Top