Why Chinese money laundering networks still evade AML detection. What banks are missing
Chinese money laundering networks (CMLNs) are already well understood across the industry. Their role in supporting drug trafficking, fraud, and other criminal activity is well documented, and the scale is significant.
In fact, FinCEN’s recent Financial Trend Analysis identified more than 137,000 Bank Secrecy Act filings between 2020 and 2024, representing over $300 billion in suspicious activity linked to these networks.
Yet activity at this scale continues to move through the financial system.
CMLNs do not operate through simple or isolated transactions. They rely on multi-step, non-linear activity that moves across accounts, institutions, and jurisdictions. Funds are layered through trade-based schemes, bulk goods purchases, real estate, and cash-intensive businesses, often supported by networks of money mules and informal value transfer systems.
The problem is, traditional AML approaches were not designed to identify this type of behavior. Rules-based systems can flag individual indicators, but they struggle to connect how activity develops across accounts and over time.
And as these networks continue to adapt their methods, detection approaches that rely on static rules become less effective.
| Key takeaways for this article CMLNs are linked to over $300 billion in suspicious activity across more than 137,000 BSA filings These networks operate through multi-step, non-linear activity that rules-based systems often miss Traditional AML detection focuses on individual red flags rather than connected behavior Machine learning can identify how activity clusters across accounts, entities, and time Federated models enable this analysis across institutions without sharing sensitive data |
The scale is clear. AML detection is not.
Large volumes of activity linked to Chinese money laundering networks are now being reported. What is less clear is how early that activity is identified, and how much is only recognized after funds have already moved through the system.
Much of this activity does not appear suspicious at the point it enters the financial system. Transactions are structured to look ordinary, often spread across accounts, institutions, and time. In many cases, individual alerts will not indicate a broader pattern. The risk only becomes visible when activity is viewed in sequence.
And this creates a challenge for AML detection.
Monitoring systems are typically designed to assess transactions against predefined rules or thresholds. They generate alerts based on individual events, rather than how activity connects across a network.
What this means for investigators is fragmented visibility. Alerts may be reviewed in isolation, without a clear view of how related activity develops across accounts or institutions. By the time patterns are recognized, funds may already have moved.
Why CMLNs continue to evade traditional AML controls
The characteristics of these networks create specific challenges for traditional AML controls, particularly in how activity is detected and connected.
Static rules cannot keep pace with adaptive networks
CMLNs do not follow fixed patterns. Their methods evolve in response to controls, adjusting transaction flows, account usage, and timing to avoid detection.
A rules-based approach built to catch one pattern will miss the next variation. Rules can be effective for known typologies, but they are limited by what has already been observed and require continual tuning to remain relevant. As these networks change their methods, detection based on static thresholds or predefined scenarios provides limited coverage against evolving behavior.
This creates a persistent lag in detection. By the time a new pattern is understood and reflected in rules, activity has often already moved through the system.
Detection is fragmented across institutions
CMLN activity rarely sits within a single institution. Transactions are distributed across accounts, banks, and jurisdictions, with each step designed to appear independent.
This results in fragmented visibility. Each institution sees only a portion of the activity, often without context on how it connects to a wider network. Patterns that would be clear when viewed collectively can remain indistinct when assessed in isolation.
This limits how effectively institutions can identify connected activity in real time. Activity that appears low risk within one institution may form part of a broader pattern that is not immediately visible.
Red flags do not capture behavior
Traditional AML detection relies on identifying individual indicators such as large cash deposits, rapid movement of funds, or unusual account activity. These signals can be useful, but they are limited when assessed on their own.
CMLNs operate through sequences of activity rather than single events. Risk emerges from how transactions relate to one another across accounts, entities, and time. Individual transactions may appear consistent with expected behavior. It is their combination and repetition that creates concern.
Detection therefore depends on understanding how activity clusters and develops, not just whether a single transaction meets a predefined threshold. This limits the effectiveness of approaches that focus primarily on isolated alerts rather than connected behavior.
What detection actually requires
Addressing these challenges requires a shift in how activity is assessed, moving beyond individual transactions to understanding how behavior develops across accounts, entities, and time.
Identifying behavioral patterns over individual transactions
Effective detection depends on identifying behavioral patterns. Suspicious activity rarely appears as a single transaction. It emerges through patterns that cluster and sequence across accounts, entities, and time.
This includes how funds move between related accounts, how transactions are structured, and how activity develops over a defined period. Viewed individually, these signals can appear consistent with expected customer behavior. Assessed together, they indicate coordinated activity.
Connecting multi-step, non-linear activity
CMLN activity unfolds across multiple steps and time periods. Funds are layered through a series of transactions, moving across accounts and institutions in ways that obscure their origin.
These patterns are structured to remain below reporting thresholds or spaced over time to reduce visibility. Connections between accounts, timing, and transaction types define the underlying behavior.
Detection depends on recognising how activity links across steps. Assessing transactions individually limits visibility into that structure.
Improving precision and reducing false positives
Improving detection also requires a more precise understanding of risk. Many transfers to China are legitimate, and cross-border activity is a routine part of financial flows.
A focus on behavioral patterns allows clearer differentiation between legitimate and suspicious activity. This supports more effective alerting, helping investigators prioritize activity that aligns with known laundering behavior.
This leads to fewer false positives and more consistent identification of activity that reflects genuine risk.
Where federated machine learning changes the model
These challenges point to a need for approaches that can connect activity across institutions while maintaining the constraints of data privacy and confidentiality.
#1. Learning across institutions without sharing data
Federated machine learning enables institutions to collaborate on detecting financial crime without sharing underlying customer data. Each institution trains a model on its own data within its existing environment.
The learned parameters from those models are then shared and combined to create a broader model. No transaction-level data leaves the institution. This allows patterns to be learned across multiple datasets while keeping sensitive information local.
#2. Building a collective view of risk
This approach addresses the fragmented view of activity that exists across institutions. Each organization holds only part of the overall picture, which limits how patterns are identified.
By learning from patterns observed across multiple institutions, federated models support a more complete view of how activity connects. Relationships between accounts, timing, and transaction types become clearer when assessed across a wider dataset.
This strengthens the ability to identify activity that may appear low risk in isolation but forms part of a broader pattern.
#3. Adapting as CMLN methodologies evolve
CMLNs continue to change how they structure and move funds. Detection approaches need to keep pace with that evolution.
Machine learning models can be trained to recognise patterns in behavior and updated as new activity is observed. Models adapt as networks do, reflecting changes in how transactions are structured, timed, and distributed across accounts and institutions.
This supports a more responsive approach to detection, aligned to how these networks operate.
Further reading: Inside Chinese Money Laundering Networks and how Federated AI can detect and prevent them
What this means for AML teams
These changes have practical implications for how AML teams assess risk and prioritize activity.
For investigators, this means:
- Greater emphasis on context and explanation
Individual transactions rarely provide enough information on their own. Understanding how activity connects across accounts, entities, and time provides a clearer basis for assessment and decision-making - Earlier identification of connected activity
Patterns can be identified as they develop, supporting earlier intervention instead of relying on reporting after funds have already moved through the system
Supervisory bodies continue to emphasize effectiveness in AML programs and show openness to approaches that improve detection outcomes. The focus is moving toward identifying higher-risk activity and reducing reliance on alert volume as a primary measure of performance.
