AML Red Flags: Suspicious Activity Indicators for Compliance Teams

AML red flags are behavioural, transactional or documentary indicators that suggest a customer relationship or financial transaction may be connected to money laundering, terrorist financing or another predicate offence. Under UK law, identifying these indicators and acting on them is not optional: failure to disclose known or suspected money laundering is a criminal offence under section 330 of the Proceeds of Crime Act 2002 (POCA 2002). For compliance teams, understanding what constitutes a red flag — and what to do when one appears — is the foundation of an effective anti-money laundering (AML) programme.

The volume of Suspicious Activity Reports (SARs) filed in the UK reached 901,255 in the 2022-23 reporting period, according to the NCA's Annual Report — a figure that reflects both the scale of financial crime and the increasing maturity of compliance functions across regulated sectors.

This article is provided for informational purposes only and does not constitute legal, financial or regulatory advice. For advice on your firm's specific circumstances, consult a qualified legal professional or your relevant supervisory authority.

What Are AML Red Flags?

An AML red flag is any indicator that, individually or in combination with others, gives a regulated firm reasonable grounds to suspect that a transaction or business relationship involves the proceeds of crime or is connected to terrorist financing. A red flag does not establish guilt: it triggers an obligation to investigate further and, where suspicion cannot be resolved, to submit a Suspicious Activity Report (SAR).

Regulatory reference: The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017), Regulation 28, sets out the circumstances requiring enhanced customer due diligence. The FATF 40 Recommendations provide internationally recognised typologies of red flags that underpin domestic regulatory guidance. In the UK, FCA Handbook SYSC 6.3 requires firms to maintain adequate systems and controls for the detection and prevention of financial crime, with the legal standard for suspicion set deliberately low: a possibility more than fanciful that the relevant facts exist.

Categories of AML Red Flags

Red flags fall into four primary categories. The table below provides a structured overview that compliance teams can use as a baseline framework for their internal risk policies.

When red flags from multiple categories appear together, the overall risk level increases materially and must trigger a formal internal review regardless of the relationship's commercial importance to the firm.

For a broader view of documentary compliance obligations that sit alongside these indicators, see our document compliance guide.

Sector-Specific Red Flags

Banking and Financial Services

Banks and payment institutions face the widest variety of red flag typologies. Key indicators include: frequent small cash deposits across multiple branches on the same day, rapid cycling of funds through an account with no intervening business purpose, and accounts that remain dormant before suddenly processing high volumes of transactions. Round-pound transfers at consistent amounts are a classic structuring signal that automated monitoring systems are designed to detect.

The £10,000 threshold is widely used in UK sectors as a cash transaction monitoring benchmark, though firms must apply risk-based scrutiny at any amount where the surrounding context is suspicious. MLR 2017 Regulation 28 does not impose a minimum transaction value for CDD — it is triggered by suspicion, not size.

Real Estate

Property transactions remain one of the highest-risk channels for laundering proceeds in the UK, a finding consistently reflected in HM Treasury's National Risk Assessments. Red flags include: purchases made using third-party funds with no disclosed relationship to the buyer, rapid resale at a significant discount to market value, and corporate vehicle ownership structures where the beneficial owner cannot be identified. Solicitors, estate agents and accountants acting in property transactions are all designated persons under MLR 2017.

Crypto-Assets

Registered crypto-asset businesses are subject to the full MLR 2017 regime following FCA registration requirements introduced in 2020. Sector-specific red flags include: use of mixing or tumbling services, transactions to or from addresses associated with sanctioned entities or dark-web marketplaces, and customers who refuse to disclose the source of their crypto holdings despite the size or frequency of transactions.

Trade Finance

Trade-Based Money Laundering (TBML) exploits the complexity of cross-border commercial transactions. Indicators to monitor include: significant discrepancies between invoice values and market prices for the described goods, vague or inconsistent cargo descriptions on shipping documents, payments made by or to unrelated third parties with no disclosed commercial relationship, and prepayments for goods substantially above the standard commercial value of the contract.

Legal and Accounting Professionals

Solicitors, accountants and estate agents are designated non-financial businesses and professions (DNFBPs) subject to MLR 2017. Red flags in these sectors include: clients who are overly secretive about the source of funds, requests to hold client money for purposes unconnected to the underlying matter, and instructions that appear designed to create a paper trail without any genuine commercial substance.

Our detailed article on AML transaction monitoring rules and thresholds covers the automated detection layer that sits alongside human review in these sectors.

UK Legal Framework: MLR 2017 and SAR Obligations

The primary legislative framework for AML in the UK consists of POCA 2002, the Terrorism Act 2000, and MLR 2017, supplemented by FCA rules for regulated financial services firms and sector-specific guidance from professional body supervisors.

MLR 2017, Regulation 28 requires firms to apply enhanced customer due diligence when establishing a business relationship, carrying out an occasional transaction of €15,000 or more (or equivalent in sterling), or whenever there is a suspicion of money laundering or terrorist financing, regardless of transaction size.

When a red flag cannot be satisfactorily resolved, the firm must submit a SAR to the National Crime Agency's UK Financial Intelligence Unit (UKFIU). The NCA operates a seven-working-day moratorium on consent SARs (also called "defence against money laundering" or DAML requests): if the NCA does not respond within seven working days, the firm may proceed with the transaction provided it has not received a refusal notice.

The tipping-off offence under POCA 2002, section 333A, makes it a criminal offence to disclose to a customer or third party that a SAR has been submitted or that a money laundering investigation is underway. This prohibition applies from the moment a SAR is filed or an investigation commences, and compliance teams must ensure internal communications referencing SAR activity are handled under strict confidentiality protocols.

Section 330 of POCA 2002 creates the primary failure-to-disclose offence for the regulated sector: a person commits an offence if they know or suspect, or have reasonable grounds to know or suspect, that money laundering is occurring and they fail to make the required disclosure as soon as practicable. This is effectively a strict-liability-style offence with criminal consequences including up to five years' imprisonment.

The FCA has the power to impose unlimited financial penalties and to withdraw authorisation for firms that fail to maintain adequate AML systems and controls.

From Detection to SAR Filing: the Internal Process

Effective management of AML red flags follows a structured process. The absence of a clear internal workflow is one of the most common findings in FCA supervisory reviews of smaller regulated firms.

Step 1 – Detection. The red flag is identified, either through automated transaction monitoring, document verification tools, or by a member of staff. CheckFile's platform flags 94% of fraudulent documents in under 2 seconds (CheckFile internal benchmark, March 2026), enabling compliance teams to identify documentary red flags at the point of onboarding rather than retrospectively during periodic review.

Step 2 – Internal escalation. The identifying staff member escalates to the nominated officer (the Money Laundering Reporting Officer, or MLRO) using the firm's internal reporting form. Staff must not delay escalation or attempt to resolve the matter informally, as this can itself constitute a failure to disclose.

Step 3 – Investigation. The MLRO or their delegate reviews the available information: transaction history, KYC file, open-source information, and sanctions screening results. The investigation must be documented in full, whether or not it results in a SAR.

Step 4 – SAR decision. If the suspicion cannot be resolved, the MLRO files a SAR via the NCA UKFIU online portal. Where a transaction is pending and consent is required, a DAML SAR must be filed before the transaction is executed.

Step 5 – Record retention. All supporting records must be retained for five years from the end of the business relationship or the date of the occasional transaction, in line with MLR 2017, Regulation 40.

Step 6 – Operational decision. The firm decides independently whether to maintain or exit the business relationship. A SAR filing does not automatically require termination, but the risk assessment must be updated to reflect the new information.

Our anti-money laundering compliance guide covers the governance and organisational requirements that underpin this process at an institutional level.

Common Questions from Compliance Forums

What actually triggers a SAR — is there a minimum threshold?

There is no minimum monetary threshold for filing a SAR under POCA 2002. The trigger is suspicion, not transaction size. A £200 transaction can warrant a SAR if the surrounding circumstances are sufficiently suspicious. The £10,000 cash monitoring threshold used in many sectors is an internal control benchmark — it is not a legal filing trigger. The standard is: would a reasonable person in your position suspect money laundering?

Is structuring always a red flag?

Yes. Structuring — deliberately breaking up transactions to stay below monitoring thresholds — is itself a typology of money laundering, regardless of whether the underlying funds are legitimate. If a customer's transaction pattern appears designed to avoid reporting obligations, that pattern constitutes a red flag in its own right and warrants immediate investigation and likely SAR filing.

Can we exit the relationship before filing a SAR?

Exiting a relationship before filing a SAR can itself constitute tipping off if the customer infers from the exit that they are under investigation. The correct sequence is: file the SAR first, then take operational decisions about the relationship. Where an immediate exit is commercially or legally necessary, take legal advice before acting and document the rationale fully.

Frequently Asked Questions

What is the difference between a red flag and reasonable grounds to suspect?

A red flag is a preliminary indicator that requires further investigation. Reasonable grounds to suspect — the legal standard under POCA 2002 s.330 — is the conclusion reached after that investigation. Not every red flag produces reasonable grounds to suspect, but every SAR must have been preceded by the identification of at least one red flag that was assessed against available evidence and left unresolved.

Who is legally responsible for filing a SAR?

The nominated officer — typically the MLRO — is the person legally responsible for making the external SAR disclosure to the NCA UKFIU. However, all staff in the regulated sector have an individual obligation to report their suspicions internally to the nominated officer as soon as practicable. Failure to make an internal report is itself a potential offence under POCA 2002 s.330 for staff who knew or suspected money laundering.

How does CheckFile support the detection of AML red flags?

CheckFile's document verification platform analyses the authenticity of identity documents, proof of address and financial records submitted during onboarding and ongoing due diligence. It identifies inconsistencies, alterations and documents originating from high-risk sources in real time. Our KYC solution for banking and financial services integrates this verification into the onboarding workflow without adding friction for legitimate customers.

What are the penalties for failing to comply with AML obligations in the UK?

Firms face unlimited financial penalties from the FCA and potential withdrawal of authorisation. At the individual level, MLRO and senior management failures can result in personal fines and prohibition orders. Under POCA 2002, criminal prosecution for failure to disclose carries a maximum sentence of five years' imprisonment. Published FCA enforcement decisions provide useful benchmarks for the level of sanctions imposed in practice.

Where can I find the FATF list of high-risk jurisdictions?

The FATF publishes two lists: the "black list" (Call for Action jurisdictions) and the "grey list" (increased monitoring). These are updated at each FATF Plenary, typically three times per year. Access current lists at fatf-gafi.org. UK firms must also have regard to the list of high-risk third countries designated by the UK government under MLR 2017, Regulation 33. Explore our pricing plans to see how CheckFile fits your compliance budget.