Money Laundering Typologies Every Compliance Team Should Monitor

June 18, 2026• 10 min readmoney laundering typologiesstructuringtrade-based launderingterrorism financing

A field guide to the money laundering and terrorism financing typologies that matter in East Africa — placement, layering and integration, structuring, mobile-money abuse, trade-based laundering and funnel accounts — and how each maps to a monitoring rule.

A monitoring rule that does not trace back to a real laundering pattern is just noise with a threshold on it. The patterns themselves — the recurring methods criminals use to move and disguise illicit funds — are called typologies, and they are the single most useful thing a compliance team can study. Know the typologies that operate in your market and you know what your transaction monitoring should be looking for, what your analysts should recognise on sight, and what your training programme should rehearse. Treat them as an afterthought and you end up with a rule book that fires on the wrong things and stays silent on the right ones.

This is a field guide to the money laundering typologies every compliance team should monitor in East Africa, written for MLROs, analysts, and the people who tune the rules. It walks through the three classical stages of laundering, then through the concrete typologies that matter most in this region — structuring, mobile-money abuse, trade-based laundering, third-party and funnel accounts, rapid pass-through, and terrorism financing indicators. For each, it shows how the pattern maps to a monitoring rule and a typology library entry. It is one chapter of the wider story told in the complete AML platform guide; the mechanics of turning these patterns into running detection logic are covered in our piece on how transaction monitoring turns typologies into rules.

The three stages: placement, layering, integration

Most typologies are variations on a three-stage model that has described laundering for decades. It remains a useful frame because each stage exposes the funds to different controls, and a good programme aims to catch them at the earliest stage it can.

Placement is the entry of illicit cash into the financial system — the cash deposit, the prepaid card top-up, the mobile-money load. This is the riskiest moment for the launderer, because raw cash has the weakest paper trail, and it is where cash-intensive controls and reporting thresholds do their work.
Layering is the movement of funds through a series of transactions designed to break the link to their origin: transfers between accounts, conversions across products and currencies, hops through intermediaries and shell entities. The aim is distance and complexity — enough steps that following the money becomes impractical.
Integration is the return of the now-laundered funds to the legitimate economy as apparently clean wealth: a property purchase, an investment, a loan repayment, an invoice settled. By this stage the money looks ordinary, which is exactly why catching it earlier matters.

No single transaction tells you which stage you are watching. The signal is in the pattern across transactions, accounts, and time — which is why typologies, not individual rules, are the right unit of thinking. Layering in particular rarely sits inside one account; it spreads across linked entities and only resolves when you can see the network, the work described in detecting layering across linked entities.

Structuring and smurfing

Structuring is the deliberate fragmentation of a large sum into many smaller transactions, each sized to stay below a reporting or scrutiny threshold. When the work is spread across several people acting as deposit-makers, it is called smurfing. The customer who knows the cash-reporting limit and consistently deposits just beneath it, day after day or branch after branch, is the textbook case.

The pattern maps cleanly to a structuring rule that aggregates activity across a window and across channels, then fires when many sub-threshold transactions sum to a figure that would have tripped reporting had it arrived as one. The same logic catches structuring across branches, across linked accounts, and across deposit-makers feeding a single beneficiary. In a typology library, the entry records the indicator — sub-threshold fragmentation — alongside the rule that detects it and the kind of evidence an analyst should expect to see, so the knowledge survives staff turnover instead of living only in one investigator's head.

Structuring is also the clearest example of why thresholds alone are insufficient. A flat value rule sees nothing, because every individual transaction is compliant by design. Only a rule that aggregates and looks for the shape of fragmentation catches it.

Mobile-money abuse

Mobile money is the defining payment rail of East Africa, and that makes it a primary laundering channel rather than a peripheral one. The same features that drive financial inclusion — instant settlement, agent cash-in and cash-out, near-ubiquitous reach — also serve the launderer who wants to place cash, move it quickly, and pull it out somewhere else.

Several distinct patterns live under this heading. Agent collusion, where a mobile-money agent processes structured cash-ins on behalf of a customer who never appears. Wallet-cycling, where funds enter a wallet and exit almost immediately, the wallet acting as a pass-through rather than a store of value. Many-to-one funnelling, where dozens of small inbound transfers from unrelated senders converge on a single wallet that promptly cashes out. Each maps to its own monitoring rule — a velocity rule for rapid cash-in/cash-out, a fan-in rule for many-to-one convergence, a peer-group rule that flags an agent or wallet behaving unlike its cohort.

The detail of these patterns, and how they surface in reporting, is covered in depth in our guide to mobile-money AML typologies and reporting. The point for monitoring is that mobile-money typologies deserve their own dedicated rules tuned to the rail's economics, not generic value thresholds borrowed from a bank-account world.

Trade-based money laundering

Trade-based money laundering (TBML) hides value inside legitimate-looking commerce. Instead of moving illicit funds directly, the launderer moves them disguised as payment for goods — and manipulates the trade documents so the money flow and the goods flow no longer match.

The classic mechanisms are mis-invoicing and phantom shipments:

Over- and under-invoicing: an invoice deliberately priced away from the true value of the goods, so value transfers between buyer and seller under cover of a trade payment.
Multiple invoicing: the same shipment invoiced several times, justifying several payments for one delivery.
Phantom shipments: payment for goods that were never shipped at all, the documentation manufactured to support a money movement.

TBML is genuinely hard to detect from transactions alone, because the suspicious element often sits in documents and pricing rather than payment amounts. Monitoring rules can still surface candidates — trade payments that are round-tripping between related parties, settlement values that diverge sharply from declared shipment values, or trade activity inconsistent with a customer's stated business. These rules tend to generate alerts that need enrichment from trade documents and entity links before they resolve, so the typology library entry should flag TBML as an enhanced-due-diligence pattern, pointing the analyst toward the document and counterparty evidence rather than expecting the transaction to speak for itself.

Third-party and funnel accounts

A funnel account collects funds from many sources in one location and disburses them in another, deliberately breaking the geographic and relational link between origin and destination. Third-party accounts — money-mule accounts opened by, or in the name of, someone other than the true beneficiary — are the building blocks that make funnelling work.

The monitoring signal is structural. A genuine personal or business account has a recognisable shape: inbound and outbound counterparties that recur, a settlement geography that fits the customer's profile, a turnover consistent with the risk assessment on file. A funnel account violates that shape — a sudden burst of inbound transfers from unrelated parties, rapid onward movement to a different region, a turnover wildly above the expected baseline. A fan-in rule, a geographic-mismatch rule, and a deviation-from-baseline rule together describe it. The typology library entry ties them to the underlying method so an analyst seeing one alert recognises the whole pattern.

This is also where customer risk assessment and monitoring reinforce each other. An account whose monitored behaviour repeatedly looks like funnelling should feed back into its risk rating, and a customer whose profile already signals exposure to mule recruitment should be watched more closely — the loop we describe in treating typology exposure as a CRA risk factor.

Rapid movement and pass-through

Pass-through, sometimes called rapid movement or U-turn activity, is layering in its purest form: money arrives and leaves almost immediately, the account serving only as a transit point. The hallmark is that money in roughly equals money out within a short window, with little or no balance retained and no economic purpose to the stop.

This maps to a velocity rule that watches the relationship between inbound and outbound flow over hours rather than days, fires when the two match closely with minimal residence time, and weights dormant-then-active accounts heavily — a long-quiet account that suddenly becomes a busy conduit is a strong signal. Pass-through rarely confines itself to one account; it chains across several, which is why the rule that flags a single hop should hand off to entity resolution to reveal the chain. The typology library entry records both the single-account indicator and the network pattern it usually belongs to.

Terrorism financing indicators

Terrorism financing is not simply money laundering in reverse, and monitoring it requires a different mindset. Laundering hides the source of large illicit sums; terrorism financing often moves small amounts of money that may be entirely legitimate in origin toward an illegitimate end. Value-based thresholds, the backbone of laundering detection, are weak here precisely because the amounts can be modest.

The indicators that matter are behavioural and contextual rather than value-driven:

Small, structured transfers to or from higher-risk jurisdictions or conflict-adjacent regions that do not fit the customer's profile.
Funds flowing through accounts linked to non-profit or charitable structures in ways inconsistent with their stated purpose.
Many small contributions converging on an account that disburses to a higher-risk corridor — a collection-and-forwarding shape.
Any nexus to sanctioned or watchlisted parties surfaced by screening, which should always be read alongside transactional behaviour.

These map to rules built on corridor risk, counterparty context, and screening overlap rather than amount alone, and they almost always require human judgement to resolve. The typology library entry should be explicit that terrorism financing is a context-driven pattern, so analysts do not dismiss a small but suspicious transfer because it failed to cross a value threshold.

From typology to rule to filing

Recognising a typology is the start; operationalising it is the work. In a mature programme each typology lives as a structured entry in a typology library, linked to the monitoring rules that detect it and the evidence those rules should surface. The Creodata AML Platform builds this in: transaction monitoring ships with a starter pack of more than thirty typology-aligned rules and a typology library, a rule DSL with a back-test harness and a tuning lab so you can validate a rule against history before promoting it, and versioned rule promotion so every change is traceable. Rules can run in batch over historical data or evaluate streaming activity as it lands, and every alert carries the evidence behind it one click away.

When a typology-driven alert becomes a confirmed suspicion, it moves to a suspicious-transaction report. The reporting layer expects each report to carry the indicator codes that classify the suspected typology — but those codes, and the filing mechanics around them, belong to the reporting cluster, not to monitoring. We map typologies to their filing indicators in the STR indicator library for AML typologies in Kenya, and the filing lifecycle itself runs through the goAML Reporting Platform. If your team needs to build the typology library and the rules around it from scratch, that is the kind of work our financial-crime compliance advisory supports.

Frequently asked questions

What is the difference between a money laundering typology and a monitoring rule?

A typology is the underlying method — the recurring pattern of behaviour, such as structuring or funnel-account funnelling, that criminals use to move illicit funds. A monitoring rule is the testable condition that detects that pattern in your transaction data. One typology usually needs several rules to cover its variants, and a good typology library links each typology to the rules that detect it and the evidence those rules should produce.

Which typologies matter most for East African institutions?

Mobile-money abuse is distinctive to this region and deserves dedicated rules tuned to the rail's economics. Structuring, third-party and funnel accounts, rapid pass-through, and trade-based laundering are all prevalent. Terrorism financing indicators matter wherever institutions touch higher-risk corridors. The right mix depends on your products, customers, and jurisdictions — which is why the typology library should be configurable rather than fixed.

Can rule-based monitoring catch every typology?

No. Rules detect patterns you have already described, so a genuinely novel method passes unnoticed until someone writes a rule for it. That is why mature programmes pair an explicit rule pack with behavioural detection and a tuning lab that lets analysts back-test new rules against history. Typologies that hide in documents, such as trade-based laundering, also need enrichment from entity and document evidence before a transactional alert resolves.

How do typologies connect to STR filing?

When monitoring confirms a suspicion, the resulting suspicious-transaction report carries indicator codes that classify the suspected typology for the financial intelligence unit. Those codes and the filing process are handled by the goAML reporting cluster; the monitoring side's job is to detect the pattern and assemble the evidence. We cover the mapping from typology to indicator code separately so each layer stays focused on its own responsibility.

Knowing the typologies is half the discipline; running the rules, evidence, and tuning that turn them into reliable detection is the other half. Book a demo of the Creodata AML Platform to see the typology library, the starter rule pack, and the back-test and tuning workflow that keep your monitoring aligned with the patterns that actually operate in your market.

Adverse Media Screening: Catching the Risk Sanctions Lists Miss
Sanctions and PEP lists only show known, designated risk. Adverse media screening surfaces the rest — how negative-news screening works, how to filter for relevance and recency, and where it fits in onboarding, EDD and periodic review.
Audit-Ready AML: Evidence-First Investigations and the Four-Eyes Principle
When an examiner asks you to walk through a single decision, can you? How an append-only audit trail, evidence-first design and the four-eyes principle make every AML decision reconstructable — and inspections far less painful.
AML Case Management: From Alert to Disposition Without Losing the Audit Trail
A walk through the AML case lifecycle — queue assignment, the RFI cycle, SLA management, linked-case investigation, EDD, escalation, and the decision to file or close — built so every step leaves an audit trail.
Why AML Detection Fails Without Data Quality: Ingestion, Mapping, and DQ Rules
No monitoring rule can catch what bad data hides. How disciplined ingestion, field mapping, source certification and data-quality rules give your AML platform the clean, complete data it needs to detect and report accurately.