Mike Masoud | July 15, 2026
Money laundering risk is not limited to banks, casinos, or financial institutions. Ordinary businesses may also be misused to move, disguise, justify, or return illicit funds.
The risk may appear in a customer payment, vendor invoice, refund request, third-party payment, or transaction that seems commercially routine until someone examines its purpose, payment path, documentation, and participating parties.
Boards, executives, finance teams, sales personnel, procurement officers, internal auditors, and compliance professionals should understand how these risks may arise in daily business activity.
Five Takeaways for Boards and Management
- Money laundering risk can enter ordinary business activity through routine-looking transactions.
- Unusual payment behavior may matter more than the transaction amount.
- Overpayments, redirected refunds, third-party payments, split payments, and vague invoices deserve scrutiny.
- Employees should know when a normal-looking transaction requires escalation.
- A profitable transaction is not necessarily a safe transaction.
A Familiar Business Trap
A customer receives an invoice for USD 100,000 but pays USD 120,000. Shortly afterward, the customer asks the company to refund the excess USD 20,000 to a different bank account in another country.
Finance may view this as a simple correction. However, the company could be used as an intermediary to move funds from one source to another while giving the transfer an apparently legitimate commercial explanation.
This does not establish that money laundering has occurred. It does justify examining why the overpayment occurred, who controls the proposed refund account, and why a different account or jurisdiction is involved.
Why This Risk Is Real
Major enforcement cases show how legitimate institutions may be misused when suspicious transactions, weak due diligence, and poor controls are tolerated.
According to the U.S. Department of Justice, HSBC admitted anti-money-laundering and sanctions violations in 2012 and forfeited USD 1.256 billion under a deferred prosecution agreement (U.S. Department of Justice, 2012).
According to the U.S. Department of Justice, Danske Bank pleaded guilty in 2022 and agreed to forfeit more than USD 2 billion in connection with conduct involving its Estonia branch and access to the U.S. financial system (U.S. Department of Justice, 2022).
These cases involved banks, but the governance lesson applies more broadly: suspicious activity may move through legitimate systems when people stop asking whether the business purpose, source of funds, payment path, and parties involved make sense.
Several examples below reflect underlying behavioral patterns identified in trade-based money-laundering risk indicators published by the Financial Action Task Force and the Egmont Group. These include unusual third-party payments, unexplained payment structures, transactions inconsistent with a customer’s known business, and questionable invoicing practices. Although these indicators were developed principally for trade-based money laundering, they offer useful points of comparison when examining unusual payment activity in other commercial settings.
The presence of one indicator does not, by itself, establish that money laundering has occurred (FATF and Egmont Group, 2020; 2021).
In such circumstances, the indicator should prompt contextual examination, appropriate escalation, and the application of Competent Questioning as an anti-corruption governance concept (Masoud, 2026).
Where Risk May Appear
Customer Overpayments and Refunds
A customer overpays an invoice and asks for the refund to be sent to a different account, company, or country.
The organization should establish why the overpayment occurred, verify the proposed recipient, and review any request to redirect the refund. An unusual refund instruction is a risk indicator, not proof of wrongdoing.
Third-Party Payments
A customer says that an affiliate or another entity will pay the invoice, but the payer is not clearly connected to the transaction.
There may be a legitimate explanation. The organization should nevertheless identify the payer, verify its relationship to the customer, document the business reason, and obtain appropriate approval.
Split Payments
A client asks to divide one invoice into several smaller payments from different accounts.
This may reflect administrative convenience, but it may also have the effect of bypassing internal controls, approval thresholds, or external scrutiny. The organization should document the explanation, identify the payers, and determine whether the arrangement has a reasonable commercial purpose.
Vague Invoices or Services
A consultant submits an invoice for “market support,” “business facilitation,” or “special services,” but no one can clearly explain what work was performed, what deliverables were produced, or why the amount is reasonable.
Such invoices may create money-laundering, fraud, bribery, procurement, and internal-control risks. Payment should not be approved until the service, deliverables, recipient, and commercial purpose are verified.
Transactions That Do Not Fit
A small local company pays a large invoice from an offshore account. A customer buys goods unrelated to its normal business. A vendor requests payment to a country where it has no apparent operations.
These circumstances do not automatically prove wrongdoing, but they should trigger proportionate questions before the transaction proceeds.
Five Controls Organizations Should Consider
1. Verify the Business Purpose
Ask who is paying, who benefits, what is being purchased, and why the transaction is structured in that way.
2. Challenge Third-Party Payments and Refunds
Require written explanations, supporting documents, verification, and appropriate approval.
3. Treat Overpayments as Risk Events
Review overpayments before issuing refunds, especially when another account, entity, or jurisdiction is involved.
4. Scrutinize Vague Invoices
Require clear descriptions, identifiable deliverables, evidence of performance, and a reasonable commercial basis for the amount charged.
5. Escalate Transactions That Do Not Fit
Employees should know how to pause and escalate transactions that do not match the customer, vendor, geography, contract, or payment pattern.
What Boards and Leaders Should Ask
Boards do not need to manage every transaction. They should determine whether employees are trained to recognize suspicious patterns and whether commercial pressure discourages escalation.
The key question is:
Would our employees know when to stop or escalate a profitable transaction because its payment path, business purpose, documentation, or parties do not make sense?
One Hard Takeaway
A transaction does not become safe because it has passed through an ordinary business process. It becomes safer when competent people ask informed, relevant, and challenging questions before approval, payment, or refund.
As an anti-corruption governance concept, Competent Questioning requires decision-makers to challenge unclear purpose, unusual payment behavior, vague services, unexplained third-party involvement, overpayments, and pressure to process first and explain later (Masoud, 2026).
Where such questions are not asked, ordinary business processes can give suspicious transactions the appearance of legitimacy.
This reflects AACI’s emphasis on governance, internal control, accountability, and systemic corruption prevention. The purpose is not to accuse individuals or presume misconduct. It is to ensure that unusual transactions are examined, documented, and escalated through defined procedures.
References
FATF and Egmont Group (2020) Trade-Based Money Laundering: Trends and Developments. Paris: Financial Action Task Force. Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/Trade-Based-Money-Laundering-Trends-and-Developments.pdf (Accessed: 15 July 2026).
FATF and Egmont Group (2021) Trade-Based Money Laundering: Risk Indicators. Paris: Financial Action Task Force. Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/Trade-Based-Money-Laundering-Risk-Indicators.pdf (Accessed: 15 July 2026).
Masoud, M. (2026) Competent Questioning: An Anti-Corruption Governance Concept. The American Anti-Corruption Institute. Available at: https://www.theaaci.net/Competent-Questioning (Accessed: 15 July 2026).
U.S. Department of Justice (2012) HSBC Holdings plc and HSBC Bank USA N.A. Admit to Anti-Money Laundering and Sanctions Violations, Forfeit $1.256 Billion in Deferred Prosecution Agreement. Available at: https://www.justice.gov/archives/opa/pr/hsbc-holdings-plc-and-hsbc-bank-usa-na-admit-anti-money-laundering-and-sanctions-violations (Accessed: 15 July 2026).
U.S. Department of Justice (2022) Danske Bank Pleads Guilty to Fraud on U.S. Banks in Multi-Billion Dollar Scheme to Access the U.S. Financial System. Available at: https://www.justice.gov/archives/opa/pr/danske-bank-pleads-guilty-fraud-us-banks-multi-billion-dollar-scheme-access-us-financial (Accessed: 15 July 2026).
Disclaimer
This article is provided for educational and informational purposes only. It does not constitute legal, regulatory, compliance, or financial advice. The presence of a risk indicator does not, by itself, establish money laundering or other misconduct. Organizations should examine relevant circumstances, follow applicable internal procedures, and obtain appropriate professional advice concerning their legal and regulatory obligations.
External sources are cited to support the discussion and remain subject to their respective publishers’ terms and interpretations.







































