Typical suspicious activity scenarios for fintech no fluff

Nikita Veremeev

24.03.2026 | 6 min read

Updated: 24.03.2026

I have been leading COREDO since 2016 and see one recurring pattern: international fintech growth always comes up against not only company registration and licenses, but also mature AML compliance. Investors, correspondent banks and regulators quickly read where the transaction provider’s real ‘center of gravity’ for risk management lies. Therefore I tell clients directly: AML should not be viewed as an off-the-shelf product. It is the business operating system that affects customer conversion, cost per SAR, unit economics and the ability to scale cross-border flows.

The COREDO team over the years has implemented dozens of projects in the EU, the United Kingdom, Singapore, the UAE (Dubai), the Czech Republic, Slovakia, Estonia and Cyprus: from registering legal entities and obtaining licenses (EMI/PI, brokerage and forex authorizations, VASP/crypto, payment institutions) to setting up AML processes to meet the requirements of AMLD5/AMLD6, FATF recommendations, EBA guidance, FCA approaches and MAS expectations. COREDO’s practice confirms: a properly designed AML reduces latent risk, increases banks’ trust in your accounts and creates a predictable foundation for scaling.

Why fintech needs mature AML at registration

When licensing an EMI/PI in the EU, a VASP in Estonia, or a CASP in Cyprus, regulators expect not templates but thoughtful procedures: PEP screening and management of sanctions lists and watchlists, transparent UBO/beneficial ownership policies, data retention rules and clear STR/SAR criteria. Our experience at COREDO has shown that a mature described fintech transaction monitoring process with clear scenarios and threshold parameterization reduces questions during supervisory interviews and speeds up authorization.

TMS orchestration in AML processes

I start by formulating the risk appetite: which types of customers (retail, SMB, marketplaces, crypto merchants), which countries (EU/Asia/CIS), which products (e-money, cards, P2P, merchant acquiring, OTC for VASP) and what risk limits for SAR conversion rate and false positive rate we are willing to accept. On this basis a governance model and lifecycle of scenarios for fintech is built: who is responsible for the rules, how we version them, how we run backtesting and validate AML models in production.

Orchestration: the next layer. I connect rules, ML models, real-time sanctions screening and investigation tasks into a single bus: orchestration. This provides real-time vs batch monitoring with clear latency detection and the KPI time-to-alert. At COREDO we implement case management systems (CMS) and configure false positive triage workflows and investigation SLAs so that compliance resources are used efficiently.

KYC, KYB, UBO and sanctions lists

KYC and KYB for fintech companies are not only document verification, but also entity resolution: matching profiles, phone numbers, devices, addresses and corporate connections. KYC/KYB data sources include government registries, commercial aggregators, provider APIs and UBO registry integration to verify ultimate beneficial owners. We take into account signs of shell companies and nominee directors, and analyze mass-registration addresses and director overlaps.

I pay special attention to screening clients from high-risk jurisdictions (EU/Asia/CIS), real-time sanctions screening and watchlist updates. Integration of sanctions lists and real-time screening should be accompanied by a proper data quality gate: data lineage, duplicate checks and source verification, so as not to accumulate technical false positives. At COREDO we configure PEP screening taking into account the local definition of PEP and close connections, and we document EDD criteria for corporate and high-risk clients in playbooks.

Real-time transaction monitoring

I divide suspicious transaction scenarios into three groups: regulatory (for example, payment structuring: smurfing, layering and round-tripping), behavioral (mule accounts, account takeover, fabrication of transactions) and product-related for merchant flows (invoice manipulation, over/under invoicing, trade-based money laundering for fintech platforms). Typical AML scenarios for payment services and AML rules for neo-banks should cover P2P, top-ups, cash-out and merchant aggregation. The COREDO team implemented transaction monitoring in real time so as not to cut conversion and to keep SLA slippage below 200 ms.

ML models and explainable AI in production

I use a hybrid stack: supervised learning for classic fraud schemes, unsupervised clustering to group unusual patterns, autoencoders and isolation forest for anomaly scoring and overall anomaly detection. Feature engineering for transactional features considers frequency, amount, counterparty, geo-IP, device fingerprinting and behavioral fingerprinting. For graph analytics I apply graph algorithms and graph analysis to detect chains of transactions, networks of mule accounts and merchant risk scoring.

Explainable AI is vital. I use LIME and SHAP to explain alerts and reduce disputes with the regulator: explainability helps establish model explainability governance and model documentation. We track model drift and concept drift by monitoring distribution changes, and we perform model validation in a model testing lab, checking precision, recall, F1 metrics and SAR conversion ratio.

Suspicious operations in P2P and crypto

AML for crypto and VASP, a separate domain. I integrate on-chain analytics and de-anonymization of cryptocurrency flows, take into account mixing services, tumblers and methods of hiding the origin of funds, chain hopping and cross-chain swaps. OTC and over-the-counter trades increase risk: we consider liquidity levels, the frequency of large transactions and countermeasures against cash-out and mule networks.

Triage and alert investigations

Triage of alerts and case-management with limited compliance resources requires prioritization: alert prioritization scoring ranks cases by risk and likelihood of escalation to SAR. I implement investigation SLAs, automation of cases in the CMS and orchestration of tasks with external data sources. Regulatory reporting is automated through e-filing infrastructure: the STR/SAR filing process and regulatory requirements become reproducible and documented.

Incident response and forensics for suspicious transactions I formalize as ready-made playbooks: from temporary blocking to in-depth review, requesting supporting documents and the final decision. Automation of AML investigations eliminates routine work and reduces cost per alert and cost per SAR. COREDO’s practice confirms: clear triage reduces false negatives and minimizes missed risks while keeping processing times stable.

ROI, KPIs, and errors when scaling

To assess the ROI of implementing an AML system in fintech, I link metrics: SAR conversion rate, false positive rate, detection latency, precision/recall и operational KPIs – cost per alert and cost per SAR. Best practices for reducing AML’s impact on customer conversion include adaptive checks, biometrics with liveness checks and contextual KYC/KYB requests triggered by an event rather than “on a calendar basis”. Managing false negatives is done through targeted retrospectives, backtesting and manual review with model retraining.

Regulatory guidelines by region

In the EU we are subject to AMLD5 and AMLD6, the EBA’s AML guidelines for financial institutions, and PSD2, which affects payment monitoring and open APIs. In the UK the FCA’s approaches to fintech pilots and sandboxes set benchmarks for experimenting with ML without losing control, while reporting requirements and SAR obligations remain clear. In Asia MAS’s regulatory expectations formalize a risk-based approach and test pilots with a clear delineation of responsibility.

In the US FinCEN defines reporting requirements and SAR obligations, and correspondent banks in correspondent banking demand increased transparency in cross-border payment screening and geographic risks. The recommendations FATF and the Wolfsberg Group’s compliance principles serve as a consensus framework for global programs. The COREDO team translates these standards into the language of the client’s specific procedures, from policy to the details of the TMS.

Data and privacy as an advantage

Privacy-preserving analytics and PII processing for me: not an option, but a requirement for banking trust. I use federated learning for distributed training without transferring data, differential privacy for client data analytics, and homomorphic encryption for secure analysis of sensitive datasets. Data lineage and data quality control in TMS allow tracking origin and transformations, reducing the risk of errors and challenges to data validity.

We document model explainability governance, maintain a centralized feature catalog, and verify consistency through continuous tests. Entity resolution and customer reconciliation follow unified rules, eliminating duplicates and profile drift. Such practices simplify communication with auditors and reduce the likelihood of regulatory questions about data quality.

COREDO Case Studies and Lessons

In Singapore we supported Licensing under the Payment Services Act, built a compliance strategy for cross-border payments and integrated sanction screening with real-time updates. The solution developed at COREDO employed graph analytics for transaction chains and detection of mule accounts, including round-tripping across Asian corridors. The regulatory inspection recognized strengths in governance and rule lifecycle management.

How to implement AML with COREDO

• We set the risk appetite and a risk-based approach: customer profiles, countries, products, SARs and KPIs.
• We design KYC/KYB/UBO: data sources, UBO registry integration, PEP screening and sanctions watchlists.
• We set up transaction monitoring: suspicious activity scenarios, adaptive thresholds, velocity rules and graph analytics.
• We implement ML and explainability: supervised/unsupervised, autoencoder, isolation forest, LIME/SHAP and a model testing lab.
• We launch orchestration and CMS: triage, alert prioritization scoring, SLA, e-filing and STR/SAR.
• We build data governance: data lineage, quality gates, privacy-preserving analytics and log retention policies.
• We include effectiveness control: KPIs, A/B testing of scenarios, backtesting and regular recalibration.
• We ensure regulatory compliance: AMLD5/6, EBA, FCA sandbox, MAS, FinCEN, FATF and Wolfsberg.
• We plan scaling: real-time vs batch, load testing of the TMS and scenario drift detection.

Registration and licenses: alignment with AML

In Dubai, providers in the DIFC or under VARA benefit more from clear procedures for sanctions lists and cross-border screening. In Cyprus, forex and CASP licenses require a thoughtful approach to merchant risk scoring and TBML indicators in transaction flows. COREDO’s practice shows: if you link the corporate structure, licenses, and AML architecture at the start, subsequent rounds of audits and bank onboarding processes proceed significantly faster.

How to avoid common mistakes

Underestimating governance is the third common problem. Without rule lifecycle management, model documentation, and clear playbooks, it’s hard to pass inspections and maintain predictability as you scale. The COREDO team closes these gaps through program audits, roadmaps, and the implementation of practices proven effective in the EU and Asia.

Conclusions

Compliance in fintech is not a ‘checkbox’ and not a brake on growth. This is a production system that enables safely scaling cross-border operations, maintaining the trust of banks and regulators, and increasing margins by reducing operational costs for investigations. I build such systems at the intersection of licensing strategy, data architecture and TMS engineering, and COREDO’s practice confirms: unified orchestration of rules, ML and investigation processes delivers measurable results.