Beyond the Control Framework

Most people still picture money laundering the way films portray it: shadowy figures, offshore islands, suitcases of cash, elaborate schemes that feel far removed from everyday banking. In reality, that is not always the case.

Today’s high-end money laundering is often quiet, ordinary, and deeply unremarkable on the surface. It happens through standard retail accounts, familiar products, routine onboarding processes, and cross-border group relationships that look perfectly legitimate at first glance. There’s no Hollywood plot twist. Instead, you have a group of highly-motivated actors patient enough to exploit a very mundane set of the institution’s controls, inconsistencies, and human assumptions.

That context is important when reading the Hong Kong Monetary Authority’s latest guidance on combating high-end money laundering. In summary, criminals are increasingly using the “normal” parts of the banking system such as retail accounts, wealth management, cross-border group relationships as the entry point for very sophisticated activity. And in many cases, the controls exist. They’re just not being applied consistently or critically enough.

Retail banking is no longer “low drama”

One of the most striking themes is how often high-end money laundering now starts in the retail segment. According to the HKMA’s observations, criminals deliberately establish seemingly ordinary retail relationships as a gateway, before moving funds through wealth management, private banking, or across jurisdictions within the same banking group.

This matters because many institutions still subconsciously treat retail as “lower risk by design”. The circular is a reminder that this assumption no longer holds, especially where customers show complex characteristics like multiple nationalities, sudden changes in employment or wealth sources, or rapid growth in assets under management. Hint: red flags!

Solution? Each to his own. In my view, retail relationships need to be viewed dynamically, not categorically. The expectation is that financial institutions must continuously reassess customers as they evolve, connect changes across products and segments, and respond proportionately when multiple indicators start to align. Do not treat retail as “high risk,” but rather context-driven, where escalation is triggered not by a single red flag, but by patterns that only become visible when teams step back and look at the relationship as a whole.

Same customer, different standards?

Another point that felt very familiar: inconsistent Customer Due Diligence (CDD) across business lines.

The HKMA noted cases where high-net-worth customers in retail wealth management were subject to noticeably lighter due diligence than private banking customers, even when their risk exposure looked very similar. This is one of those long-standing industry quirks that everyone knows about, but few have fully solved.

The message here is subtle: segmentation should not become an excuse for uneven risk treatment. If the risk is similar, the depth of CDD should be similar too, and that applies not just at onboarding, but over time as customer circumstances evolve.

Source of wealth: empowerment vs. paperwork

What comes through clearly in the HKMA’s observations on source of wealth and source of funds is not a criticism of policy design, but a question of how confident front-line teams feel applying those policies in higher-risk situations.

In most cases, the frameworks are already in place and technically sound. Where issues arise, they tend to be practical rather than structural: moments where staff hesitate to probe further, to challenge inconsistencies, or to seek clarification when information feels incomplete or difficult to reconcile.

This is a familiar supervisory theme. Documentation on its own does not mitigate risk. People do. The expectation is not that front-line teams become investigators, but that they are supported, trained, and empowered to exercise judgment, escalate uncertainty, and ask follow-up questions without fear of being “overly cautious.” Healthy scepticism, backed by clear guidance from compliance, is what ultimately strengthens source-of-wealth controls.

Transaction monitoring: alerts are only as good as their closure

On transaction monitoring, the finding is again not that systems failed. Alerts were generated. Unusual activity was flagged. But some alerts were closed without sufficiently robust analysis.

Examples cited include large deposits from opaque sources, third-party transactions where the relationship wasn’t clearly understood, and movements involving jurisdictions with no obvious nexus to the customer. These are all classic scenarios and the regulator’s point is straightforward: closing an alert requires reasoning, not just resolution.

This is less about technology and more about discipline. The expectation is that decisions to close alerts should stand up to scrutiny when viewed later, in context, by someone who wasn’t involved at the time.

Seeing the customer across borders

One of the more constructive observations relates to information-sharing across banking group affiliates. Some institutions have already put mechanisms in place to share intelligence on higher-risk customers across jurisdictions, allowing for a more holistic risk view.

The HKMA clearly sees this as a good practice rather than a burden. In an era where criminals deliberately exploit cross-border structures, fragmented views of the same customer are an obvious vulnerability.

A closing thought

What I took away from this guidance is that regulators are paying less attention to whether a control exists, and far more attention to how thoughtfully it is applied. That’s a harder standard to meet, but probably the right one.

As always, if this topic is landing on your desk as well and you’re thinking through how your institution should respond, I’m very happy to compare notes. These are not new risks, but they are being looked at with fresh eyes.

Source: HKMA Guidance on Combating High-end Money Laundering

Thanks for reading,

Alexey