Main/

Mitigations Taxonomy Design

1. Introduction: What Are Mitigations?

In the context of Anti-Money Laundering (AML) mitigations are structured controls or measures used by financial institutions to prevent, detect, disrupt, and report illicit financial activities. They include policies, procedures, technological solutions, and other organizational practices that reduce the likelihood and impact of money laundering or other illicit financial activities.

Mitigations often map directly to money laundering techniques or typologies. For example, if criminals use trade-based money laundering schemes (e.g., misinvoicing or over/under-valuation of goods), a related mitigation might be Trade Monitoring, which specifically checks trade transactions and documentation for inconsistencies.

Linkable With Money Laundering Techniques

In a knowledge graph, each mitigation can be linked to one or more documented money laundering techniques or subtechniques. This allows analysts to trace how real-world typologies—such as cash structuring, or chain peeling—can be addressed by specific controls (e.g., Cash Transaction Reporting or Blockchain Monitoring).

2. Three Core Dimensions of Mitigation Taxonomy

A robust taxonomy helps compliance teams quickly find, compare, and apply relevant measures for specific risk scenarios. Here, we define three complementary dimensions for classifying each mitigation:

  1. Functional Category
  2. Application Level (Tactical vs. Strategic)
  3. Client Relationship Stage

To avoid confusion and over-complication of the knowledge graph, we assign each mitigation to one primary functional category and one primary application level, while client relationship stage can be a multi-select (a single mitigation may apply to multiple or no stages).

Why Separate These Dimensions?

  • Functional Category answers “What type of control is this?” in terms of operational focus (e.g., due diligence, monitoring, risk management).
  • Application Level clarifies whether the measure addresses immediate day-to-day concerns (tactical) or longer-term, high-level oversight (strategic).
  • Client Relationship Stage highlights when the mitigation is most relevant in the client lifecycle (onboarding, ongoing relationship, post-termination, etc.).

This modular approach provides a balanced view: each control’s fundamental purpose, its scope (tactical or strategic), and the points in the client journey where it applies.

3. Functional Categories

Below are groupings of mitigations by their primary function. Every mitigation is assigned to one of these categories.

  1. Onboarding & Customer-Related Due Diligence
    • Purpose: Verifying or updating customer identity, beneficial ownership, and risk levels.
    • Examples: Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), Sanctions & Watchlist Screening, OSINT & External Source Verification.
  2. Transaction & Activity Monitoring & Escalation
    • Purpose: Identifying suspicious or high-risk transactions through real/near-real-time monitoring, and escalating them as necessary.
    • Examples: Transaction Escrow Management, Cash Transaction Reporting (CTR), Trade Monitoring, Blockchain Monitoring, Suspicious Activity Reporting (SARs/STRs), Transaction Monitoring.
  3. Risk Management & Governance
    • Purpose: Enterprise-level oversight, strategic assessment, and cross-cutting frameworks that shape the organization’s risk posture.
    • Examples: Enterprise-Wide Risk Assessment (EWRA), Country Risk Assessment, Independent Audit & Testing, Third-Party Risk Management, Information Sharing & Collaboration, a conscious “Do Not Mitigate” (when additional controls are deemed counterproductive).
  4. Organizational & Internal Controls
    • Purpose: Day-to-day management of internal processes, policies, data security, record-keeping, and staff escalation mechanisms.
    • Examples: Quality Assurance & Control, Internal Policies and Procedures, Data Protection & Security Controls, Record-Keeping & Audit Trails, Internal Reporting Mechanisms, Designation of Nominated Officer, Access Authentication & Monitoring.
  5. Relationship Actions
    • Purpose: Direct interventions in a customer relationship to reduce or remove risk (e.g., suspending or ending the relationship).
    • Examples: Service Restriction, Client Relationship Termination.
  6. People & Awareness
    • Purpose: Human-focused measures that strengthen AML knowledge, integrity, and compliance culture among staff or customers.
    • Examples: Employee Background Screening, Customer Education & Awareness, Staff AML Training & Awareness.

This classification provides a quick conceptual map: Is this measure about monitoring, governance, or how we handle staff training?

4. Application Level: Tactical vs. Strategic

Tactical Mitigations

  • Definition: Short- to medium-term operational measures.
  • Scope: Address immediate, day-to-day AML/CFT requirements.
  • Characteristics:
    • Often carried out by front-office staff, investigators, or compliance analysts.
    • Targets specific patterns or behaviors (e.g., real-time transaction alerts).
    • Can be quickly adjusted or tuned as typologies evolve.

Examples:

  • Transaction Monitoring (real-time detection)
  • Cash Transaction Reporting (CTR)
  • Enhanced Due Diligence (EDD)
  • Suspicious Activity Reporting (SARs/STRs)

Strategic Mitigations

  • Definition: Long-term, higher-level organizational measures that guide the entire AML/CFT framework.
  • Scope: Shape enterprise governance, resource allocation, and overall AML/CFT culture.
  • Characteristics:
    • Often steered by senior management or boards.
    • Involves broad policy decisions (risk appetite, cross-functional coordination).
    • Requires more planning and cross-department input, with periodic reviews.

Examples:

  • Enterprise-Wide Risk Assessment (EWRA)
  • Independent Audit & Testing
  • Third-Party Risk Management
  • Quality Assurance & Control

In many cases, a single mitigation might be partially tactical and partially strategic. However, for clarity’s sake in a taxonomy, we classify it by its dominant purpose.

5. Client Relationship Stages

We propose a set of client lifecycle stages that highlights when the mitigation is most relevant in the client lifecycle. Each stage can be assigned to a mitigation if relevant, but a mitigation can belong to several stages or none if it is an overarching measure.

  1. Not Directly Related (or Pre-Interaction)
    • Activities occurring before any direct engagement with a client or overarching and not directly related to client interactions.
    • Examples: Setting overall AML policy frameworks, establishing acceptance criteria, market-level risk analysis.
  2. Pre-Onboarding Engagement
    • Initial contact with prospective clients—initial inquiries, basic risk checks, or high-level eligibility checks.
  3. Onboarding
    • Formal process of registering the customer, performing CDD/KYC, verifying identities, setting up accounts.
  4. Ongoing Relationship
    • Active, day-to-day interaction with fully onboarded clients. Involves routine transactions and periodic reviews.
  5. Post Alert
    • Triggered if suspicious activity or a high-risk event is detected within an ongoing relationship.
    • Involves investigations, SAR filing, or deciding whether to continue the relationship.
  6. Post Termination
    • After an institution has exited the relationship. Covers record retention, any final regulatory reporting, or watch for re-entry attempts.
  7. Ad Hoc Interaction
    • Irregular or one-off engagements that do not follow typical onboarding or ongoing relationship patterns (e.g., a one-time transaction).