Full Report
Editor's note: The following blog post originally appeared on Levi Gundert's Substack page.IntroductionA past conversation with an undercover federal agent who specializes in money laundering revealed staggering amounts of currency moving across geographic boundaries, skirting traditional Anti-Money Laundering (AML) processes. From local and transnational crime syndicates to presidential spouses and those looking to evade sanctions or tax regimes, the need to wash and move illicit funds into reputable banking channels has never been greater. The FTs recent AML coverage highlights the scale of the problem and provides timely background reading on money laundering networks, suspects, and indictments. One story is particularly relevant as it centers around proof of address compliance failures. Coincidentally, address verification is precisely the problem highlighted by a recent Recorded Future Payment Fraud Intelligence (PFI) report.Big Fraud and a Hong Kong AddressThe address in question is:12th Floor, San Toi Building,137-139Connaught Road Central, Hong KongThe San Toi Building (and 12th-floor visual estimate) provided by Google MapsThe address is linked to two scam website (fraud) clustersdesignated Misspelled and Brand as a Coverwhich share merchant accounts and payment processing logic. The three merchant accounts include CAMHUBSTORE, AQAPAY*xmvmxft, SMARTTECHHK, and gracefashionhub. Hundreds, if not thousands, of scam websites are connected to these merchants.A scam website snapshot. A victim articulates why Camhubstore is a scam site. These merchant accounts that process payments for fraudulent, non-existent goods are tied to the 12th floor of the San Toi Building as the registered business address. The address is even placed directly on some of the sites as a contact address. Heres where it gets interesting. The address is listed on the U.S. Treasury OFAC list for ties to an Iranian terrorism group. The 12th floor is presumably large enough to house multiple businesses and likely sufficiently small such that businesses transit through reasonably often. Of course, it would be difficult to draw a direct connection between these merchant accounts and terrorism based on a shared space address. Still, other questions remain, namely: how are these scam merchants acquiring the ability to process payment cards when their physical address is on the OFAC list? Remedying AML / KYC Compliance FailuresKnowing your customer (KYC) might be difficult when bad actors go to great lengths to obscure their identity and purpose, but this is an egregious case of acquiring banks and payment processors missing obviously problematic contact details.Geoff Whites book, The Lazarus Heist, documented that even routine checks can lead to better outcomes. In it, White details North Korean hackers' inability to transfer a more significant amount (hundreds of millions of dollars) from Bangladesh Bank to a bank branch in Manila because the branch is located on Jupiter Street, and "Jupiter is also the name of a sanctioned Iranian shipping vessel. Addresses matter. Suppose the US pursues a more friendly regulatory environment for cryptocurrencies under President Trump, and exchanges find it easier to acquire bank accounts. In that case, the potential for money laundering may explode without rigorous AML / KYC / KYT efforts. The SEC may have fewer teeth, but banks and processors are still gambling if anyone can obtain a merchant account with little to no compliance checks. Indeed, the business incentives are aligned to offer maximum merchant accounts to generate more processing fees, and historically, compliance costs have eroded profitability. However, this may be an emerging opportunity for GenAI. Semi-autonomous agents trained to flag basic AML violations (for example, website contact details listed on OFAC, perhaps) and elastic agents that deploy on demand when a new merchant application is submitted would assist AML compliance efforts and help the financial services industry grappling with a tsunami of fraudulent merchant transactions.
Analysis Summary
# Regulation/Compliance: Anti-Money Laundering (AML) and Know Your Customer (KYC) Enforcement in Global Fraud Ecosystems
## Overview
This synthesized summary covers the implicit regulatory requirements related to Anti-Money Laundering (AML) and Know Your Customer (KYC) frameworks, particularly as they expose organizations to risks associated with financing terrorism ('Fraud Funding Terrorism') and interacting with sanctioned entities, often through complex globalized fraud networks involving physical addresses (like Hong Kong) and cryptocurrency exploitation.
## Key Details
- Issuing Authority: **Multiple Global Regulators** (e.g., FinCEN in the US, FCA in the UK, FATF internationally). Specific mandates stem from existing AML legislation (such as BSA, 5AMLD).
- Effective Date: **Not a new regulation**, but highlights existing, perpetually effective AML/KYC obligations.
- Jurisdiction: **Global**, focusing on entities operating internationally, particularly those dealing with cross-border transactions, cryptocurrency, and high-risk geographic areas.
- Status: **In Effect**. Failure to adhere to existing mandates is the focus.
## Requirements
### Mandatory Requirements
1. **Enhanced Address Verification:** Organizations must implement robust processes to verify physical addresses associated with customers and transactions, as addresses can link to sanctioned entities or fraud rings.
2. **Sanctions Screening:** Mandatory and continuous screening against global watchlists (OFAC, UN, EU, etc.) for all involved parties (customers, beneficiaries, related entities).
3. **KYC/CDD Compliance:** Adherence to Know Your Customer (KYC) and Customer Due Diligence (CDD) protocols sufficient to detect the movement of illicit funds, including identifying complex ownership structures.
4. **Transaction Monitoring:** Implementing systems to monitor and flag suspicious transaction patterns, especially those involving cryptocurrency-to-fiat conversions or transfers through high-risk jurisdictions.
### Recommended Practices
1. **Proactive Routine Checks:** Utilizing scheduled or routine verification methods, rather than relying solely on initial intake, to catch evolving risk profiles (as highlighted by case studies like "The Lazarus Heist").
2. **Leveraging Advanced Technology:** Implementing advanced technologies (e.g., semi-autonomous, elastic agents) to manage the *cost* of compliance while improving detection accuracy across global data sources.
3. **Comprehensive Crypto Tracing:** Developing specific capabilities to trace funds across complex digital asset exchange ecosystems.
## Affected Organizations
- Industries: **Financial Institutions (Banks, MSBs), Cryptocurrency Exchanges (VASP)**, and any entity facilitating international cross-border payments or high-value transactions.
- Organization Size: **All sizes**, though larger organizations often face greater scrutiny due to higher volumes and complexity.
- Geographic Scope: **Globally**, particularly those interacting with high-risk jurisdictions or dealing with cross-border transactions.
## Compliance Timeline
- **Existing Obligations:** Compliance with extant AML/KYC laws is perpetual.
- **Remediation Deadlines:** Determined by regulatory findings following an audit or enforcement action, often requiring immediate remediation plans.
- **Final deadline:** Continuous compliance is required; there is no single external deadline for adherence to existing laws.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Perform a deep audit of current KYC/CDD procedures specifically mapping them against known methodologies used in sophisticated global fraud (e.g., address misuse, crypto exploitation).
- **Data Completeness Check:** Verify the quality and currency of data used for sanctions screening and adverse media checks across all onboarding profiles.
### Implementation Phase
- **Integrate Address Intelligence:** Upgrade onboarding systems to utilize enhanced geographic risk scoring tools.
- **System Upgrade:** Invest in or deploy advanced monitoring solutions capable of elastic scaling to manage transaction volume without overwhelming compliance staff.
### Validation Phase
- **Scenario Testing:** Conduct stress testing on monitoring systems using simulated "sneaky ways" cybercriminals move funds (e.g., micro-deposits, layered crypto transfers).
- **Internal Audit:** Regularly re-verify the efficacy of new controls against current threat intelligence.
## Technical Requirements
- **API Integration:** Need for real-time integration with official sanctions lists and high-risk entity databases.
- **Data Enrichment:** Capability to enrich basic customer data (especially addresses) with external risk intelligence providers.
- **Process Automation:** Utilizing automation, potentially including AI/ML driven models, to handle the high throughput of transactional data involved in combating sophisticated fraud.
## Penalties & Enforcement
- Fines: **Significant and escalating fines** based on the severity and duration of the violation, often tied to the volume of transactions processed in breach of compliance (e.g., violations of the Bank Secrecy Act or EU AML Directives).
- Other Consequences: **Reputational damage, revocation of operating licenses**, and potential criminal penalties for senior management involved in willful evasion.
- Enforcement: **Regulatory examinations, mandatory independent monitoring**, and civil/criminal litigation initiated by bodies like FinCEN, DOJ, or international counterparts.
## Related Standards
- **FATF Recommendations:** The 40 Recommendations provide the international benchmark for AML/CFT compliance, directly addressing risk assessment and due diligence.
- **NIST (Conceptual Alignment):** While not directly AML, NIST Cybersecurity Framework principles for **Identify** and **Protect** functions inform the necessary technological controls required to secure and verify customer data integrity.
## Resources
- Official Documentation: **The governing AML/CFT legislation** for the entity's primary jurisdiction (e.g., FinCEN advisories, EU AMLD summaries).
- Guidance Documents: **FATF Guidance relating to risk-based approaches and new technologies (e.g., VASPs)**.
- Tools: **Sanctions screening software and transaction monitoring platforms.**
## Practical Recommendations
1. **Prioritize Data Quality:** Treat customer address and identity data as mission-critical risk indicators, not mere administrative fields.
2. **Automate Level 1 Screening:** Offload repetitive, high-volume screening tasks to technology to free human analysts for complex, nuanced investigations (like tracing crypto movement).
3. **Review Technology ROI:** Evaluate current compliance technology not just on its cost, but on its ability to reduce residual risk exposure linked to sophisticated global fraud, justifying investment in advanced tooling.