Smurfing and Structuring in AML: How to Detect and Report It

Picture the compliance analyst's morning: 400 alerts in the queue. By midday, 380 of them are false positives — wrong thresholds, misconfigured rules, noise. The other 20 need a closer look.

Now picture a structuring scheme running through those same accounts. No single transaction looks wrong. No individual deposit hits the reporting threshold. The customer's behaviour matches dozens of legitimate customers. The pattern only exists if you look across 14 accounts over 11 weeks — which nobody did, because the queue had 400 alerts in it.

That is why structuring is the hardest form of financial crime to catch. It is not poorly hidden. It is built to be invisible.

What Structuring Is and How Smurfing Differs

For a full definition, see the Tookitaki glossary entry on smurfing. This article focuses on detection and reporting.

The short version: structuring means deliberately breaking up transactions to stay below regulatory reporting thresholds. One person depositing AUD 9,500 on Monday, AUD 9,800 on Wednesday, and AUD 9,300 on Friday — instead of a single AUD 28,600 deposit — is structuring. The intent is to avoid triggering a threshold reporting requirement, and that intent is the offence.

Smurfing is the same offence executed through multiple people. Rather than one person making repeated sub-threshold deposits, a network of individuals — "smurfs" — each make smaller deposits into the same account or a connected set of accounts. The underlying goal is identical: aggregate the cash while keeping each individual transaction below the reporting radar.

Both are placement-phase techniques within the three stages of money laundering. What makes them particularly difficult is that the individual transactions, viewed in isolation, are entirely legitimate.

Ten Red Flags That Signal Structuring

These red flags are not individually conclusive. They are indicators that warrant escalation to a Suspicious Matter Report or Suspicious Transaction Report when found in combination.

1. Repeated cash deposits just below the local reporting threshold

The clearest signal. A customer depositing AUD 9,400, AUD 9,700, and AUD 9,200 across three weeks is staying intentionally below Australia's AUD 10,000 cash transaction reporting threshold. The same pattern in Singapore sits below SGD 20,000; in the US, below USD 10,000.

2. Multiple transactions on the same day at different branches

A customer making three separate cash deposits at three different branch locations on the same day — each below threshold — cannot plausibly be explained by convenience. Branch diversity exists to avoid system-level aggregation.

3. Round-number deposits slightly below threshold

Real cash transactions tend to be irregular amounts. Deposits of exactly SGD 19,900, SGD 19,950, or SGD 19,800 — consistently round and consistently just under SGD 20,000 — suggest deliberate calculation rather than organic cash flow.

4. Shared identifiers across multiple accounts making similar deposits

When several accounts share a phone number, residential address, or email address, and each account is receiving sub-threshold cash deposits at similar intervals, the accounts are likely part of a structured network rather than unrelated individuals.

5. Accounts with no other activity except periodic sub-threshold cash deposits

A bank account that receives a cash deposit of AUD 9,800 every two to three weeks — and does nothing else — has no plausible retail banking purpose. Dormancy broken only by structured deposits is a strong indicator.

6. Rapid cycling: deposit, transfer, withdrawal in quick succession

Cash arrives, moves to a second account immediately, and is withdrawn within 24 to 48 hours. The rapidity defeats the logic of ordinary cash management and suggests the account is a pass-through in a structuring chain.

7. Multiple third parties depositing into the same account

Three different individuals — none of whom is the account holder — making cash deposits into the same account within a short window is the operational signature of smurfing. The account holder is coordinating a network of smurfs.

8. New accounts with immediate high-frequency sub-threshold activity

An account opened less than 30 days ago that immediately begins receiving several sub-threshold cash deposits per week has not developed an organic transaction history. The account was opened for the structuring activity.

9. Mule account patterns

The account receives multiple small deposits from various sources, accumulates the balance, then transfers the full amount to a single destination account. The collecting-and-forwarding pattern is a textbook mule structure.

10. Timing clusters at branch opening or closing

Transactions concentrated in the first 15 minutes after branch opening or the last 15 minutes before closing can indicate coordination — perpetrators managing detection risk by limiting teller exposure or taking advantage of shift-change gaps in oversight.

APAC Reporting Obligations: Thresholds and Timeframes

Compliance officers across the region operate under different regulatory frameworks. These are the current obligations as of 2026.

Australia — AUSTRAC

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006:

• Threshold Transaction Report (TTR): Required for all cash transactions of AUD 10,000 or more, or the foreign currency equivalent. Must be submitted to AUSTRAC within 10 business days.
• Suspicious Matter Report (SMR): Where a reporting entity forms a suspicion that a transaction or customer may be connected to money laundering, financing of terrorism, or proceeds of crime, the SMR must be submitted within 3 business days of forming that suspicion (or 24 hours if terrorism financing is suspected).

Structuring is an offence under section 142 of the AML/CTF Act regardless of whether the underlying funds are from legitimate sources. Suspicion of structuring — not confirmation — triggers the SMR obligation.

Singapore — MAS

Under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act and MAS Notice SFA04-N02/CMS-N02 and related notices:

• Cash Transaction Report (CTR): Required for cash transactions of SGD 20,000 or more, or equivalent in foreign currency.
• Suspicious Transaction Report (STR): Must be filed with the Suspicious Transaction Reporting Office (STRO) within 1 business day of the institution's knowledge or suspicion.

Singapore's 1 business day STR deadline is among the strictest in the region.

Malaysia — BNM

Under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLATFPUAA), regulated by Bank Negara Malaysia:

• Cash Threshold Report (CTR): Required for cash transactions of MYR 25,000 or more, or equivalent in foreign currency.
• Suspicious Transaction Report (STR): Must be submitted to the Financial Intelligence and Enforcement Department (FIED) within 3 working days of the institution forming a suspicion.

Philippines — BSP / AMLC

Under the Anti-Money Laundering Act of 2001 (Republic Act 9160) as amended, and rules issued by the Bangko Sentral ng Pilipinas (BSP) and the Anti-Money Laundering Council (AMLC):

• Covered Transaction Report (CTR): Required for single-day cash transactions totalling PHP 500,000 or more.
• Suspicious Transaction Report (STR): Must be filed with the AMLC within 5 business days of the transaction being deemed suspicious.

In all four jurisdictions, a failure to file — even where the transaction later proves legitimate — carries significant regulatory and criminal liability for the reporting institution.

Why Rule-Based Transaction Monitoring Misses Structuring

Traditional transaction monitoring systems work by evaluating individual transactions against a set of rules: flag any cash deposit over a threshold; flag any transaction to a high-risk jurisdiction; flag any customer who exceeds a monthly cash limit.

Structuring is engineered to defeat exactly this type of detection. Each individual transaction passes every rule. No single deposit exceeds the threshold. No single account exhibits abnormal volume. The problem only exists in the aggregate — across multiple transactions, multiple accounts, and an extended time window.

A rule that flags AUD 10,000+ deposits will not flag three AUD 9,500 deposits. A rule that flags high transaction frequency on a single account will not flag ten accounts each making one deposit per week.

For a broader explanation of how transaction monitoring systems work and what they are designed to catch, read our What is Transaction Monitoring blog.

The result is that structuring and smurfing schemes can run for months without generating a single alert, even in banks with fully implemented transaction monitoring programmes. The rules are working exactly as configured. That is the problem.

How Machine Learning-Based Systems Detect Structuring Patterns

The detection challenge is a data aggregation problem, and machine learning systems are better suited to it than rule-based engines for three specific reasons.

Velocity analysis across accounts and time

ML systems can calculate velocity — the rate of sub-threshold deposits — across a population of accounts simultaneously, and flag when a cluster of accounts shows a correlated spike. A rule fires when one account crosses a threshold. A velocity model fires when 12 accounts in the same network collectively accumulate AUD 95,000 across six weeks in increments designed to avoid individual-account triggers.

Network graph analysis

By mapping relationships between accounts — shared addresses, shared phone numbers, overlapping transaction counterparties — graph-based models identify structuring networks that appear unconnected at the individual account level. The smurfing structure that looks like 10 ordinary retail customers becomes a visible ring when the relationship layer is added.

Temporal pattern detection

Structuring schemes operate on a schedule. Deposits cluster on specific days of the week, at specific times, in specific amounts. ML models trained on transaction sequences can identify these temporal signatures and surface accounts that match them, even when the amounts are individually unremarkable.

The practical consequence is a material reduction in both false negatives (missed schemes) and false positives (unnecessary alerts). Rules generate noise. Pattern models generate signal.

If your institution is evaluating whether its current transaction monitoring system can detect structuring at the pattern level rather than the transaction level, the Transaction Monitoring Software Buyer's Guide covers the evaluation framework — including the specific questions to ask vendors about multi-account aggregation and network analysis capabilities.

The compliance team reviewing 400 alerts each morning cannot manually reconstruct an 11-week deposit pattern across 14 accounts. That is not an attention problem. It is a systems problem. Structuring detection requires systems built for pattern-level analysis, regulatory obligations that are jurisdiction-specific and time-bound, and an alert triage process that distinguishes genuine red flags from rule-based noise.

The technology to close that gap exists. The question is whether the system currently in place is designed to find it.