The evolving landscape of money laundering presents a complex challenge for Sri Lanka’s financial and regulatory sectors. Sri Lanka’s unique economic and regulatory environment, characterised by diverse sectors that range from banking to real estate and luxury goods, requires a multifaceted approach to combating illicit financial flows. The intricacies of corporate ownership, emerging technologies such as virtual currencies, and challenges in data accessibility and accuracy all add layers of complexity to detection and compliance efforts.
Moreover, the expansion of anti-money laundering (AML) responsibilities beyond traditional banks is a reflection of growing recognition that money laundering can infiltrate many corners of the economy, often hiding behind market innovation. As global standards tighten, the country continues to navigate the demands of international bodies like the G7’s Financial Action Task Force (FATF), striving to align with rigorous anti-money laundering frameworks.
In this excerpt from a discussion with K.V. Karthik, Partner and Leader – Forensic & Financial Crime of Deloitte India; Muzawwir Manzeer, Partner – Audit and Assurance of Deloitte Sri Lanka; and Vengadasalam Balagobi, Cyber Leader of Deloitte Sri Lanka and Maldives; Echelon explores how ongoing vigilance, data governance, and adaptive risk management strategies are essential to safeguard Sri Lanka’s financial integrity and its global reputation.
What forces are shaping the money laundering landscape right now?
Karthik: In a discussion about anti-money laundering, it’s important to get some perspective. These laws were created in response to illicit funds being funnelled into the financial system, because you need strong laws and regulations that are capable of preventing such misuse as well as detecting any incidence of it.
Given that money laundering is a global problem with cross border implications, there has been a global push for AML standards spearheaded by the Financial Action Task Force, an international intergovernmental body. The FATF is a standard-setting body which sets, develops and promotes AML and countering the financing of terrorism (CFT) standards, known as the FATF Recommendations, and assesses how countries comply with these standards. If you fail to meet these standards, your country would be in danger of being grey-listed or blacklisted.
Muzawwir: There are 40 FATF recommendations that Sri Lanka has to stay in compliance with, and the country’s past two reviews have highlighted some areas for improvement. We were placed on the FATF’s grey list earlier. This is not as bad as being blacklisted, but it does have implications for the country’s economy and foreign fund flows as it marks us as a high-risk entity.
Should we want to export to another country, the buyer’s bank may take note of our grey list status and delay payments from being made.
Fortunately, Sri Lanka is currently not on the grey list. We completed a national risk assessment and made significant enough progress to address those deficiencies and enhance our compliance ratings. The amendments made to our laws helped. Still, the next routine assessment is due in March 2026, so we need to make sure we are prepared for this assessment and demonstrate satisfactory compliance to these recommendations.
Karthik: A grey listing simply means there are significant deficiencies in the AML regime. The moment these deficiencies are addressed, you would be taken out of the grey list.
Every country undergoes periodic reviews and evaluations. Reviews are necessary to assess a country’s compliance with the FATF Recommendations and the effectiveness of its anti-money laundering and counter-terrorist financing systems with the strengthened standards and addresses evolving new threats. While Sri Lanka has addressed some gaps identified in the previous reviews, the focus should
be on evolving risks. For example, cash-related money laundering has evolved and now extends to virtual currencies.
Money laundering techniques have evolved, and so laws and regulations have to evolve with it. This is the time for Sri Lanka to demonstrate its fight against money laundering by showcasing its compliance to FATF standards.
Between cash, trade, and virtual currency, where does Sri Lanka’s biggest challenge with money laundering lie?
Muzawwir: The most challenging aspect lies in data gathering. For instance, banks are encouraged to maintain accurate Know Your Customer (KYC) information, and this is reasonably straightforward for individuals. You may need only to produce your national ID, have it checked securely, and that’s the end of it.
On the other hand, corporate ownership complicates matters. By law, any shareholder holding over 10% of a company must be disclosed as a beneficial owner. An amendment to the Companies Act, signed on August 4th, mandates firms to maintain an updated register of such owners. The responsibility for accuracy falls on the authorised directors via the company secretary. Failure to maintain or update this data correctly triggers penalties.
This is unfamiliar territory for many. Complex ownership structures, with multiple layers of subsidiaries and cross- holdings, make it difficult to trace the ultimate beneficial owner. Regardless, such transparency is critical. Without it, shell companies can be used to mask illicit transactions, making the monitoring of individuals far simpler than identifying money laundering through corporate structures.
What steps should companies take to handle data effectively so they can meet anti-money laundering requirements and operate credibly worldwide?
Balagobi: Anti-money laundering monitoring in Sri Lanka is largely limited to banks and financial institutions, many of which comply with information security standards such as ISO 27001. This offers both internal assurance and external credibility.
Vengadasalam Balagobi, Cyber Leader of Deloitte Sri Lanka and Maldives
From an AML perspective, institutions must scrutinise how transaction data is collected, secured, and processed, and these issues sit squarely at the intersection of cybersecurity and information governance. Typically, organisations operate with two layers: a core banking system and a data warehouse. Transaction data flows from the former to the latter, which provides data for monitoring. Securing both layers is vital. Accurate data must be pre-served as it moves, with strict controls on who accesses the warehouse.
These systems must be isolated from external networks since exposure to the internet could create vulnerabilities such as unauthorised access, data breaches, or malware attacks. The integrity of AML monitoring depends on securing this entire data pipeline, beginning with initial capture and going all the way through to final analysis.
Is anti-money laundering only a problem for the financial sector?
Karthik: The short answer is no. Financial institutions have historically been considered the focus of anti-money laundering efforts, but this is no longer true. If you look at the FATF’s guidelines, you’ll see they now extend to designated non-financial businesses and professions (DNFBPs), which include lawyers, accountants, casinos, jewellers, real estate agents, and more. In Sri Lanka, it also includes trust and company service providers.
National risk assessments help identify sectors most vulnerable to money laundering. In Sri Lanka, many DNFBPs are now formally classified as reporting entities. As such, they are subject to the same legal obligations as banks: to implement compliance systems and report suspicious activity to the Financial Intelligence Unit (FIU).
Money laundering is no longer just a banking problem.
Are DNFBPs under the same pressure from regulators as financial institutions?
Muzawwir: Non-financial businesses are designated as AML reporting entities due to their proximity to both legal and
illicit financial activity. Accountants and lawyers, for instance, often have early visibility into corporate transactions and structures, making them well-positioned to detect irregularities.
Meanwhile, luxury assets such as gems offer an ideal vehicle for money laundering, given that large sums of cash can be converted into high value, easily transportable goods. These sectors are thus profiled not because they handle money directly, but because they facilitate its
concealment. Though such transactions ultimately pass through banks, the source and intent can be obscured, unless these non-financial entities are themselves subject to record-keeping and compliance obligations.
Karthik: To add to this, the principles behind anti-money laundering compliance are the same whether they involve the financial or non financial sectors. Each sector may have a specific regulator with its own guidelines, be it for banks, real estate, or casinos, but they all follow a
common framework that is built on four pillars of compliance.
The first of these is risk assessment. Organisations must adopt a risk-based approach, identifying areas of highest vulnerability without neglecting lower-risk activities. The second is customer onboarding: all entities, from banks to casinos, must apply KYC procedures. The
third is transaction monitoring, which is essential. Institutions must ensure that customer behaviour aligns with expected profiles.
For example, if a salaried individual suddenly begins receiving large cash deposits, this is suspicious, and it should trigger an assessment. The final pillar requires institutions to report suspicious activity to the FIU. They are not an investigation agency, but they must flag any unusual activity that suggests illicit funds may be being laundered.
How can money laundering occur outside a banking environment?
Karthik: Anti-money laundering extends well beyond banking. Take insurance: a person might purchase a long-term life policy, paying premiums in cash over several years. If they later cancel the policy, the refunded amount, which is now seen as legitimate, effectively launders illicit funds.
K.V. Karthik, Partner and Leader – Forensic & Financial Crime of Deloitte India
Similar risks exist across capital markets, where pump-and-dump schemes may mask the origins of funds. In casinos, large cash flows can be disguised as winnings.
Each sector must adopt a risk-based approach, tailoring monitoring systems to detect scenarios unique to its businesses. Whether in insurance or gambling, the goal is always to understand your risks, monitor transactions accordingly, and flag anomalies. Without clarity on what to watch for, compliance becomes directionless.
Muzawwir: While sectors like banking are tightly governed, others are overseen by professional bodies.
One common challenge lies in outdated customer profiles. Many individuals open accounts early in life, such as students or junior professionals, but fail to update their status over time. In this way, a student may later become a lawyer or accountant. While some professions may be considered higher-risk under AML frameworks, financial institutions cannot accurately assess customer risk without regular updates. This undermines the entire risk-based approach that is central to effective AML monitoring. It is every individual’s responsibility to ensure their records accurately reflect their status.
Karthik: Each industry faces distinct money laundering risks because they each have unique vulnerabilities. To address this, regulators and industry bodies engage in public-private partnerships and thematic studies. These exercises map sector-specific risks. For instance, in banking, Sri Lanka’s National Risk Assessment (NRA) has flagged hawala transactions as high-risk, while trade finance products are assessed as medium-risk. Similar exercises across sectors help define where threats lie. This collaborative approach informs the design of targeted controls, ensuring that compliance frameworks evolve in line with industry-specific exposures.
Balagobi: With Sri Lanka’s Personal Data Protection Act nearing full enforcement, a data subject, which is an individual whose personal data is held in any system, is now entitled to have their information remain accurate and up to date. The issue is that this right is largely not exercised. In practice, financial institutions often fail to trigger reviews of outdated KYC profiles. A customer who joined as a trainee may still be listed as such years later, even after receiving products like credit cards or loans. Systems rarely flag these inconsistencies.
For effective compliance, institutions must monitor changes in customer behaviour, such as increased account activity or salary credits, and prompt updates to risk profiles accordingly. KYC is not a one-time exercise but an ongoing obligation, tied to both privacy law and AML oversight.
Muzawwir: Most individuals hold multiple bank relationships/accounts, perhaps with one opened as a student, another tied to a credit card, and a third linked to a loan. Each institution may hold a different version of the customer’s profile. This fractured KYC data, therefore, represents a structural weakness in Sri Lanka’s banking system.
For one, the fracture leads to gaps in risk profiling. A bank that offers a credit card may hold the most current information, while another, where the account was opened years earlier, would have outdated data. A knowledgeable individual could possibly exploit this by transacting
through banks where they remain categorised as low-risk, thereby avoiding the enhanced due diligence checks required for high-risk customers. Without a centralised or interoperable KYC framework, financial institutions lack a unified view of customer behaviour.
What kind of investment does AML compliance involve?
Karthik: It should be noted that compliance, while non-negotiable, carries a significant cost for financial institutions. Meeting AML obligations, such as KYC, transaction monitoring, and alert review, requires investment in technology, processes, and skilled personnel.
Despite this investment, the return is asymmetrical. The volume of alerts generated by monitoring systems far exceeds the number of suspicious transaction reports (STRs) that are ultimately filed. Further, every alert must still be assessed, incurring considerable operational expense. Compliance is a regulatory duty, but it is also a resource-intensive undertaking.
Take cash transaction reporting: if the threshold is Rs10 million monthly, a money launderer will simply stay just below it, transacting Rs8–9.5 million repeatedly over time. To catch this, systems must go beyond static thresholds. They must detect patterns, such as frequent, sub-threshold transactions over consecutive months, and cross-reference them with customer profiles. A grocer handling regular cash might raise no concern, while the same pattern from a salaried employee might be suspicious.
However, without accurate and current KYC data, systems are liable to produce excessive false positives, and the cost to review these alerts is the same. The better the profiling, the fewer the false flags, and the lower the operational burden of compliance.
How should organisations approach the cost of compliance?
Balagobi: Compliance is essential, regardless of cost. Financial institutions face a trade-off between investing in technology and manpower for transaction monitoring. Implementing technologies like AI can reduce resource expenses, but real-time monitoring drives up technological costs or demands more staff for oversight.
Currently, suspicious transactions are flagged with a delay, after data is processed through local systems and warehouses. This lag is standard practice in the region. Real-time detection, while more expensive, improves monitoring efficiency and reduces manual effort, especially when augmented with AI. Ultimately, the decision to prioritise real-time systems depends on the institution’s cost-benefit analysis.
Karthik: This perspective highlights a crucial distinction in financial crime management. Fraud demands real-time transaction monitoring to prevent losses immediately, because once a fraudulent transaction occurs, the bank often bears the cost. Stopping fraud as it happens is essential.
Money laundering, however, operates differently. The focus is on suspicious transaction reporting after that transaction has happened. A money launderer may already hold an account and conduct transactions; the bank’s role is to identify and report suspicious activity to the Financial Intelligence Unit. If you halt a transaction instantly, you risk alerting the suspect, which is prohibited under AML rules. This means AML monitoring is typically retrospective, taking place post-transaction, and regulators expect timely reporting, often within days, not instantaneously. The balance lies in effective detection without alerting criminals, unlike fraud prevention, where immediate intervention is necessary.
How comprehensive and rigorous is Sri Lanka’s legal framework for financial crime, and what challenges do financial institutions face within it?
Muzawwir: Recent legislative developments reflect efforts to align with FATF recommendations and strengthen the AML framework. Key laws include the Suppression of Terrorist Financing Act, Prevention of Money Laundering Act, and Financial Transaction Reporting Act. Notably, the Proceeds of Crime Act was introduced to enable asset seizure and prosecution, addressing previous legal gaps. Amendments to the Companies Act, as well as upcoming changes targeting casinos and real estate sectors, further enhance regulatory coverage.
Muzawwir Manzeer, Partner – Audit and Assurance of Deloitte Sri Lanka
Compliance progress is critical ahead of the next FATF evaluation in March 2026. Enforcement requires not only rules but also active adherence, similar to traffic signals needing police enforcement to ensure compliance. The Financial Intelligence Unit is advancing these efforts, but it is essential to sustain commitment across each institution.
Where does Sri Lanka stand with regard to the upcoming FATF review?
Muzawwir: The legal framework may be robust, but implementation is an area which requires more sustained effort. To oversee progress, a retired Supreme Court judge has been appointed to monitor enforcement, and the FIU is conducting regular inspections of financial institutions.
As previously pointed out, banks, finance companies, and insurers generally have established monitoring systems and compliance experience. The real challenge lies with the DNFBPs. Globally and in Sri Lanka, integrating these sectors into the AML framework is not easy, given their diverse nature and varying levels of readiness. It is critical to ensure their compliance, but this has remained difficult to achieve.
Karthik: It is important to remember that FATF reviews work on two levels. To begin with, the technical assessment looks at a country’s legal framework, including laws, regulations, and structures, to check formal compliance with FATF standards, including coverage of DNFBPs.
The second, more critical phase examines immediate outcomes. Here, assessors engage with institutions to see if the rules are understood and effectively applied in practice. This operational testing often reveals gaps between written regulations and real-world implementation.
Beneficial ownership transparency is one of the more notable challenges here, and implementation is only now becoming operational. In the coming months, particularly the next 28 weeks before the evaluation, it will be crucial to demonstrate that Sri Lanka’s AML framework is not only compliant on paper but also effective in practice.
Can you explain how money laundering typically occurs, what the main stages and types are, and how recent updates to Sri Lanka’s legal framework aim to address these issues?
Karthik: Money laundering unfolds in three stages: placement, layering, and integration.
Placement is the initial step where illicit cash enters the financial system. For example, a drug dealer might deposit small amounts into multiple bank accounts or purchase real estate with cash, later mortgaging the property to legitimise funds. Similarly, gold loans or pawn shops can serve as entry points.
Layering aims to obscure the money’s criminal origin by complex transactions, perhaps transferring funds across numerous accounts, using shell companies, or conducting multiple transfers, to distance the illicit proceeds from their source.
Integration is the final phase, where laundered funds re-enter the economy in an apparently legitimate manner. After layering, the money might be consolidated into a seemingly lawful account or reinvested through cash-based activities like gambling winnings.
Regulatory frameworks focus on these stages through Know Your Customer protocols and transaction monitoring. For example, casinos must report large cash deposits linked to identified individuals, enabling investigations into fund origins.
Transaction monitoring scrutinises whether activities align with a customer’s profile and business logic. Unusual transfers, such as unrelated parties conducting high-value transactions, raise red flags. By examining these patterns, AML systems seek to detect and disrupt money laundering at each stage.
From an operational standpoint, how do financial institutions manage money laundering risks when transaction data is spread across multiple systems, warehouses, or time frames?
Balagobi: One major hurdle is the technology cost, because maintaining and analysing large volumes of transaction data is expensive. For example, a large bank may process 200,000 to 300,000 transactions daily, with 10-20% flagged as suspicious, leading to immense data retention needs.
Another critical issue is information silos. Banks and financial institutions don’t share transaction data with competitors, making it difficult to detect patterns that span multiple entities. Without cross-institutional data sharing, tracking suspicious flows or linked parties is slow and inefficient.
A potential solution could be a centralized data repository, such as the Credit Information Bureau (CRIB) of Sri Lanka, where institutions can pool transaction data for better pattern recognition and risk assessment. Regulators like the FIU could spearhead such initiatives to enhance AML effectiveness and reduce operational burdens.
Karthik: When we talk about compliance as a cost, one of the most significant drivers is KYC requirements. Every financial institution must verify a customer’s identity, address, source of funds, and so on. In higher-risk cases, they also require more detailed background information. This process is repeated across institutions and must be periodically refreshed, depending on the customer’s risk profile.
This repetition creates inefficiencies, both in time and manpower, adding to compliance costs. A centralised KYC (cKYC) system addresses this by storing verified customer data, either individual or corporate, in a single repository. Banks and financial institutions can then access this information during onboarding, reducing duplication.
For corporates, cKYC also captures beneficial ownership details. This has the effect of improving transparency. While institutions may still need to verify or supplement data based on their internal policies, the central system significantly cuts down on the effort.
Crucially, cKYC also enables automatic updates. If a customer updates their information at one institution, it can be pushed to others, keeping all parties in sync. This eliminates the need for banks to approach customers repeatedly for re-KYC, and it helps maintain data quality, standardisation, and compliance efficiency. In short, cKYC offers a scalable, cost-effective model to streamline one of the most burdensome aspects of financial compliance.
In India, was this implemented alongside the digital ID initiatives?
Karthik: Yes, India’s central cKYC initiative is closely tied to the country’s broader digital identity infrastructure. This is particularly true in the case of Aadhaar, a unique biometric ID that covers most of the population. Aadhaar became the backbone of identity verification, ena- bling institutions to validate individuals quickly and at scale. However, Aadhaar is not mandatory for all financial services.
The system is designed to accept multiple forms of ID, including PAN, which is the tax ID, and other government-issued documents. This flexibility allows individuals to open accounts using different credentials. But once these records feed into the central KYC registry, deduplication algorithms match overlapping data points, such as the name, date of birth, and biometric info, to identify that it’s the same individual, even if different IDs were used at different institutions. The success of India’s cKYC system lies not in relying on a single ID, but in interoperability, backend integration, and data integrity. Crucially, the supporting systems are designed to be tamper-resistant, helping mitigate the risk of fraud or identity manipulation.
While Aadhaar gave the ecosystem a strong identity layer, India’s cKYC evolved as a multi-ID, technology-driven infrastructure aimed at reducing compliance costs and improving onboarding efficiency across the financial sector.
There are multiple approaches that can be taken; there is no single perfect solution. The critical factor is that it has to be resistant to fraud or manipulation.
How could a financial institution that wants to remain fully compliant approach investigating a potential money laundering case?
Karthik: The foundation of any effective financial crime framework rests on the four pillars we discussed earlier: risk assessment, customer due diligence, transaction monitoring, and reporting. They form the operational backbone of compliance, so they are not optional.
However, the challenge goes beyond anti-money laundering, because institutions must also grapple with countering the financing of terrorism. While AML concerns itself with integrating illicit funds into the financial system, CFT addresses a subtler risk: legitimate money used for illegitimate ends.
This distinction has practical consequences. In AML, thresholds like large cash deposits often trigger scrutiny. In CFT, the sums may be small, but the intent is far more dangerous. A Rs10,000 transaction might seem trivial under AML standards, but it is more likely to raise flags under CFT criteria. As a result, financial institutions and other reporting entities must maintain compliance frameworks, equipped to detect both money laundering and terrorist financing. Different patterns, different risks, but the same expectation: proactive, risk-based oversight.
Muzawwir: Think of compliance like a health check. Just as we undergo medical tests to assess our physical condition, institutions should periodically review their compliance fitness. They may conduct internal risk assessments or bring in external experts or consultants to evaluate whether regulatory requirements are being met. The outcome is a diagnostic: a compliance report that highlights strengths, gaps, and areas that are in need of improvement. Like a doctor’s report, it tells you whether you’re fit or at risk and guides your next steps. It’s a simple but essential exercise to ensure your institution stays healthy in the eyes of the regulator.
Karthik: In compliance, we typically abide by the “three lines of defence” model. The first line handles day-to-day risk, the second line oversees and advises, and the third line offers assurance that controls and processes align with regulations. However, many institutions go a step further by commissioning an independent third-party to conduct model validation. This is not just a box-ticking exercise. It examines whether the institution’s regulatory framework, internal policies, risk assessments, and monitoring systems are aligned and functioning cohesively and in line with regulations.
The process begins by mapping regulatory requirements to internal policies and controls. Then, it assesses whether the identified risks are appropriately addressed by the transaction monitoring systems. A mismatch between the risks detected and the exposure that has been identified undermines compliance effectiveness.
Crucially, the validation also tests data quality. A robust system built on weak, fragmented, or incomplete data will produce unreliable alerts, rendering the entire framework ineffective. In essence, model validation acts as a compliance health check, ensuring that strategy, systems, and data all speak the same language.
Balagobi: This brings me to AI again. The promise of AI in compliance is compelling, but it is only as strong as the data it relies on. Poor data quality can distort insights, trigger false alerts, or worse, lead institutions to take misguided actions. AI is only as intelligent as the information it is fed. That’s why the starting point must be clean, well-classified data. Identifying whether data is personal, confidential, or public, which we call effective data governance, is essential. Once categorised, access controls must be enforced: who can see what, when, and why. Systems must be shielded from external exposure, with patches tested in isolation before being applied to live environments.
Cyber threats further complicate this. Social engineering attacks, often through platforms like WhatsApp, are growing, and criminals hijack accounts to request fund transfers from contacts while posing as the account holder. In such cases, victims may unknowingly become conduits for money laundering or terrorist financing.
The line between cybersecurity and compliance is now increasingly blurred. Institutions must recognise that data integrity, system hygiene, and secure communications are no longer just IT concerns. Instead, they are core to AML and CFT risk management.
Karthik: That’s a crucial point, and one that’s drawing increasing attention from regulators worldwide: the rise of mule accounts. These are bank accounts used, knowingly or unknowingly, to move illicit funds. Some are opened with fake identities, and others are dormant accounts that were quietly taken over. In some cases, legitimate account holders “rent” their accounts in exchange for compensation, either unaware or unconcerned that they’re facilitating financial crime.
What’s emerging globally is a clear convergence between fraud, cybercrime, and AML. Once fraudsters steal funds through scams or ransomware, the money still needs to be laundered, and that’s where mule accounts come in. They serve as transit points, often layered across institutions and jurisdictions, to obfuscate the origin of funds. Increasingly, regulators see the mule account ecosystem as the bridge between traditional financial crime and newer, cyber-enabled threats. Recognising and disrupting this link is now central to effective AML and fraud risk management.
Even with digitalised data, alerts are mostly evaluated by people. How big of a challenge is this, and how critical is the human factor in detecting financial crime?
Muzawwir: Laws, systems, and frameworks are only as effective as the people who operate them. Amid the expanding sophistication of financial crime, human judgement remains a core requirement, especially in distinguishing a legitimate transaction from a suspicious one.
Specialised training, therefore, is non-negotiable. Analysts must be equipped not just with policy knowledge but with real-world scenarios, industry-specific typologies, and case studies that reveal how transactions can be manipulated and disguised. In addition to compliance, the goal is to build pattern recognition, and this is developed through experience and contextual understanding.
Effective compliance depends as much on human insight as on technological investment. The system is only as good as the people trained to interpret it.
Karthik: While technology plays a critical role in compliance, human analysis remains the final filter, but it can also be the weakest link. Once a transaction triggers an alert, it is a human analyst who must assess it. If that individual lacks a strong grasp of money laundering methodologies, behavioural patterns, and the broader context, the risk of error rises sharply. They may either miss a real threat or chase a false positive.
The challenge is compounded by alert volume and fragmentation. A single suspicious customer may generate multiple alerts across different rules or channels. It falls on the analyst to reconstruct the full picture, often under time pressure and without advanced investigative tools. It’s not enough to rely on systems alone. Institutions must invest in specialised, scenario-based training that teaches staff how to interpret alerts in context and recognise the signs of evolving financial crime schemes. Without this, even the most sophisticated systems risk becoming expensive false-alarm machines.
By its nature, anti-money laundering is a cat-and-mouse game. Launderers are constantly devising new schemes to bypass controls. Each time a pattern is detected and monitored, they adapt, forcing compliance teams to identify outliers, update detection rules, and stay ahead.
This cycle of evasion and response is ongoing, so static systems won’t suffice. Each institution must remain agile and proactive to keep pace.
How challenging is it for compliant financial institutions to manage risks now that traditional systems are increasingly linked to digital assets and currencies?
Balagobi: India’s push towards digital payments is an example of a positive step towards cashless transactions, bringing
all citizens and businesses into a traceable financial system. This shift aids AML efforts by enabling better detection of
suspicious activity, assuming the data is current. It also helps government tax revenue by reducing evasion.
However, security is critical. The central bank mandates certain minimum cybersecurity standards for payment apps and wallets, requiring annual third-party evaluations, but its annual checks aren’t enough. Technology and vulnerabilities evolve constantly, so it is necessary to
perform continuous monitoring and vulnerability assessments. A system deemed secure now may be compromised minutes later, so cyber risk management must be ongoing, not periodic.
Muzawwir: Digital transactions, especially in forms like credit/debit cards and online transfers, greatly enhances AML efforts
since every transaction is linked to an identity profile, allowing clear tracking of money flow. This contrasts with cash, which is harder to trace. However, cryptocurrency presents a significant challenge due to the lack of robust regulatory frameworks. Its decentralised design makes monitoring difficult, opening doors for illicit transactions. While digital wallets support legitimate transactions, their misuse remains a critical concern.
Karthik: The FATF has detailed the risks and monitoring frameworks for digital currencies, and some countries go so far as
to discourage virtual currencies. The main problem is that blockchain transactions often occur on ledgers outside a country’s jurisdiction, making investigations difficult. Users can remain anonymous, transferring funds wallet-to-wallet without entering the regulated financial system, which complicates monitoring. The key lies in the intersection between virtual currency and traditional finance. While regulated exchanges track who buys or sells digital currency, aiding oversight, wallet-to-wallet transfers remain hard to trace.
Cybercrime payments often use virtual currencies, underscoring the need for international cooperation. FATF standards emphasise cross border information sharing, which is crucial for combating money laundering involving virtual currencies.