How to Identify Suspicious Financial Activity: Key Red Flags

Nine deposits just under the reporting threshold. Different days, different accounts. Everything looks normal in the ledger — except the pattern. That's structuring. That's a suspicious activity report (SAR) that should already have been filed.

Recognizing suspicious financial activity means building a systematic read on transaction patterns, customer behavior, and geographic signals — and knowing when the obligation to report kicks in. This post walks through the key red flags across each dimension, explains the SAR filing obligation, and covers how Didit's Transaction Monitoring, AML Screening, and Device & IP Analysis modules support real-time detection.

Key takeaways

• Structuring — breaking transfers into smaller amounts to avoid reporting thresholds — is itself a crime in most jurisdictions, separate from whatever offense generated the funds.
• Rapid movement of funds and velocity spikes are the clearest signals of layering in a money-laundering chain.
• Customer-behavior and geographic signals compound transaction flags: a mismatched IP, a reluctant customer, a recently opened account with immediate high-value activity — each alone is weak; together they build a case.
• Suspicious Activity Reports (SARs) are a legal obligation in most regulated jurisdictions. The threshold is suspicion, not proof.

Transaction pattern red flags

Structuring and smurfing

Structuring is breaking transactions into smaller amounts to avoid currency reporting thresholds (the Bank Secrecy Act threshold in the US is $10,000; similar thresholds apply in the EU, UK, and elsewhere). Smurfing is the same pattern spread across multiple people or accounts.

The indicators:

• Multiple deposits just below the reporting threshold — $9,900, $9,700, $9,500 — in a short window
• Many small deposits that aggregate to a large sum
• A customer who asks about reporting thresholds or requests that transactions be split
• Patterns that repeat across weeks or months without a clear rationale

Structuring is itself a crime in most jurisdictions, separate from whatever offense generated the funds.

Rapid movement of funds

Money laundering follows placement → layering → integration. Layering means moving funds quickly to obscure the audit trail:

• Funds in, funds out within hours — the account is a pass-through
• Wires in one currency, converted and out in another shortly after
• Rapid transfers to unrelated third parties with no clear commercial purpose
• Round-trip patterns where funds return to the originating account or entity

Velocity spikes

Three transactions a month, then thirty in a week — even if each is small. Velocity aggregations measure count and volume per customer, counterparty, and time window. Spikes not explained by a known business event warrant review.

Customer behavior red flags

Reluctance to provide information

Red flags appear when a customer:

• Provides vague or inconsistent answers about source of funds or business purpose
• Abandons sessions when asked for additional documentation
• Submits documents from a jurisdiction that doesn't match their stated address or nationality
• Becomes evasive when questions turn to beneficial ownership or counterparties

Mismatched profiles

Common patterns:

• Stated income inconsistent with transaction volume or value
• A business account processing consumer-pattern transactions
• A new account that immediately begins high-frequency or high-value activity with no ramp-up
• Ownership structures overly complex relative to the apparent business purpose

Politically exposed persons and adverse media

Politically exposed persons (PEPs) — government officials, close associates, and family members — carry elevated corruption risk by virtue of their access to public funds. Their presence doesn't make a transaction suspicious, but it triggers enhanced due diligence. Adverse media hits — sanctions, criminal proceedings, enforcement actions — are a harder signal.

Geographic red flags

High-risk jurisdictions

The Financial Action Task Force (FATF) maintains lists of jurisdictions with strategic deficiencies in their anti-money-laundering (AML) and counter-terrorist-financing regimes. Transactions to or from those jurisdictions, beneficial owners registered there, or correspondent banking relationships with entities in those jurisdictions all carry elevated baseline risk.

Mismatched IP versus document country

A customer submits an ID from Germany and completes the session from a VPN exit node in a high-risk jurisdiction. Any single mismatch may have an innocent explanation; document country, declared address, and IP country all pointing to different places is a pattern.

This signal requires correlating identity-layer data (what document was presented) with session-layer data (where the connection originated, whether it's masked). Didit's Device & IP Analysis flags COUNTRY_FROM_DOCUMENT_DOES_NOT_MATCH_COUNTRY_FROM_IP automatically when those two signals diverge.

The obligation to file Suspicious Activity Reports

A Suspicious Activity Report (SAR) is a confidential report filed with a financial intelligence unit — FinCEN in the US, the National Crime Agency in the UK, SEPBLAC in Spain. Most regulated institutions have a legal obligation to file when they have reasonable grounds to suspect a transaction involves proceeds of crime.

Four things every compliance team should know:

• The threshold is suspicion, not proof.
• Tipping off — telling the customer a SAR has been filed — is itself a criminal offense in most jurisdictions.
• Failure to file when there is reasonable basis exposes the institution and individual compliance officers to enforcement action.
• SARs are confidential. They go to the financial intelligence unit and do not automatically trigger a law enforcement investigation.

The SAR narrative needs to hold up to scrutiny — which means the case file behind it must be structured, complete, and auditable.

How Didit helps

Transaction Monitoring — $0.02 per transaction

Didit's real-time rule engine ships with 11 seeded rule bundles — structuring detection, velocity aggregations, rapid-movement alerts — across fiat and crypto. Rules are configurable: adjust thresholds, combine conditions, add custom rules.

When a rule fires, the transaction enters case management with the customer's full history and all rule matches. The SAR workflow is built in — compliance analysts draft and file without switching tools. The AWAITING_USER loop handles information-request cases automatically: when a customer needs to supply source-of-funds documentation, the loop pauses the transaction and routes the request without manual triage.

AML Screening — $0.20 per screen

Didit checks individuals and entities against 1,300+ global lists: OFAC, EU consolidated, UN, national watchlists, PEP registries, and adverse media. Screening runs at onboarding; Ongoing AML Monitoring ($0.07 per user per year) re-screens your user base continuously as lists update — catching the sanctioned individual or PEP that wasn't flagged at signup.

Device & IP Analysis — $0.03 per check

Geographic red flags are strongest when the identity signals and the session signals are correlated. Device & IP Analysis runs automatically in every verification session, returning IP geolocation, VPN/proxy/Tor status, and device fingerprint alongside the document country from the submitted ID. When those signals diverge, the COUNTRY_FROM_DOCUMENT_DOES_NOT_MATCH_COUNTRY_FROM_IP warning fires — configurable to approve, review, or decline.

Frequently asked questions

What's the difference between a structuring flag and a SAR obligation?

Structuring is itself a crime in most jurisdictions. The SAR obligation is broader: you must file when you have reasonable grounds to suspect any transaction involves proceeds of crime — structuring is one pattern that creates that suspicion, not the only one. A monitoring alert is evidence that supports a SAR; it doesn't replace compliance judgment on whether to file.

How many rule bundles does Didit's Transaction Monitoring ship with?

11 seeded rule bundles covering the most common AML and fraud-pattern categories, all configurable — tune thresholds and add custom rules without building from scratch.

Does Didit's AML Screening cover PEPs and adverse media, or only sanctions lists?

All three. The 1,300+ lists include OFAC, EU consolidated, UN Security Council, national watchlists, PEP registries, and adverse-media feeds. Ongoing AML Monitoring re-screens your user base as lists update.

What's the AWAITING_USER auto-remediation loop?

When a rule fires on a case that can be resolved by the customer supplying additional information — proof of source of funds, for example — the loop pauses the transaction and routes the request directly to the customer, without a compliance analyst having to touch every low-complexity case.

Can Didit file SARs on my behalf?

No. The SAR filing obligation sits with the regulated institution. Didit provides the case management and SAR workflow tooling — the structured case file, the transaction evidence, the audit trail — that your compliance team uses to prepare and file with the relevant financial intelligence unit.

Ready to get started?

Suspicious activity detection is a multi-layer problem. Transaction rules alone miss behavioral context; identity checks alone miss what happens after onboarding. Didit connects those layers in one composable API.

• Learn the module → Transaction Monitoring docs
• See the platform → didit.me/products/transaction-monitoring
• Check the price → didit.me/pricing
• Start free → business.didit.me — 500 free KYC verifications/month