Developing Terrorist Financing Typologies for AML Programs

Developing terrorist financing typologies for anti-money laundering (AML) programs requires understanding. You must understand the terrorist threat environment, emerging terrorist trends, the funding flows terrorists rely on to sustain their operations and your institutional risk for being used to facilitate terrorist funding flows. When you understand these dimensions and place them in context with each other, you should be positioned to develop viable terrorist financing typologies. This can be a daunting challenge because there are no silver bullets or smoking guns. In addition, the challenge of identifying terrorist financing is exacerbated by the breadth of the terrorist landscape in terms of funding sources, funding streams and use of funds.

It is possible to identify terrorist financing preemptively, but the likelihood is not probable until after a terrorist event takes place. We normally identify terrorist financing reactively, after the fact, through negative news. Our challenge is to improve the likelihood and thereby increase the probability of identifying suspicious activity before that activity evolves into a terrorist event. Increasing the probability of identifying terrorist financing begins with building a foundation through understanding the following four dimensions: the threat environment, emerging trends, funding flows and institutional risk. By assessing each element and placing them in context with each other in a matrix or analytical report or assessment, you can take more generic risk indicators or red flags and make them more specific to your institutional risk. There are numerous reference guides listing terrorist financing red flags and typologies on a broad or generic level. Taking those broad typologies and assessing them against your institution’s risks will lead to developing more focused and institution-specific red flags and risk vulnerabilities.

In the U.S., a good example for red flag guidance is contained in the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/AML Examination Manual. Appendix F of the FFIEC Examination Manual lists money laundering and terrorist financing red flags. The terrorist financing red flags are listed on page F-9. On a regional and global level, the Financial Action Task Force (FATF) has published numerous terrorist financing typologies reports that offer meaningful guidance for identifying terrorist financing. In addition, national financial intelligence units, such as the Financial Crimes Enforcement Network (FinCEN) in the U.S. and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) provide valuable information regarding terrorist financing. Another excellent source for building terrorist financing typologies is from law enforcement charging documents, such as criminal information, indictments, arrest and search warrants, and plea agreements. These charging documents usually contain an affidavit with a statement of facts, which sets forth the scheme or scenario used, to include money laundering. In addition to these sources, numerous publically accessible online websites, think tanks, private intelligence services (some being subscription services), and other government or private sector sources, provide research guidance.

In developing your institution-specific terrorist financing typologies, it is important to be forward thinking, adaptable, attentive and innovative. You must be forward thinking and adaptable regarding the threat environment and emerging trends. You must be attentive to visualizing funding flows and minimizing false positives. You must be innovative in developing your monitoring and analytical capabilities to mitigate your institutional risk.

As a somber reminder, there is no easy answer or monitoring tool to readily identify terrorist financing. It takes commitment, understanding and visualization. First, you have to make a commitment to build adequate capacity. Second, you must understand the problems and challenges. Third, you must visualize the flow of funds from the point of origin to the point of distribution or intended distribution.

The following is an outline of the threat environment, emerging trends, funding flows and risk from an AML compliance perspective. One consideration that stands out from the outline is the myriad of variations terrorist financing can take. That is one reason why it is imperative to place these dimensions in context with each other and develop terrorist financing typologies specific to your financial institution. Identifying all-encompassing warning signs is highly improbable. However, taking a more measured and reasonable approach to identifying red flags and risk factors that are more specific to your financial institution makes it more possible to identify terrorist financing.

Terrorist Threat Environment

From the government perspective of law enforcement, intelligence agencies, sanctioning bodies, diplomatic services and the military, the threat environment is primarily a national security concern. A major factor is the level of geographic and physical threat. From a financial institution perspective the threat environment is primarily driven by economic risk.

Both the national security and economic threat environments begin with terrorist actors. We must focus on both organizations and individuals aligned with organizations—either as organizational members or as aspirants—who are inspired by the group and in many cases, pledging their allegiance. This is where the broad expanse of the terrorist landscape begins. In today’s world the biggest terrorist threat to most countries is posed by Islamic terrorists. By no means are those jihadists (those who use a false sense of Islam to front their ideology) the only terrorist threat we face. There are many terrorist threats. However, the most acute is the threat of Islamic terrorism.

We should look at terrorist groups as corporations and assess their business models

From a financial institution standpoint, who are we dealing with? Who are our customers? From an organizational perspective, we should look at terrorist groups as corporations and assess their business models. Like financial institutions, terrorist organizations may share many similarities. However, each group deals with different circumstances, which make them unique from one another. Based on their business model, they each have distinct funding requirements. For example, if you compare and contrast organizations such as the Islamic State, al-Qaeda and Hezbollah from a business model perspective, you can begin to assess their similar and differing funding requirements. In building a business model for a terrorist organization you should assess the following five components needed to establish and sustain their operations:

  1. What is their mission statement? What does the organization aspire to be?
  2. What is the desired infrastructure required to support the mission statement?
  3. What are the funding requirements needed to support the desired infrastructure?
  4. What are the funding sources needed to meet the funding requirements?
  5. What are the funding mechanisms (formal and informal banking channels) needed to support the flow of funds through the process of raising, storing, moving and spending money?

In addition to dealing with organizations, financial institutions must be prepared to deal with the individual terrorist actors affiliated with terrorist organizations. The roles of individuals include those of leaders, facilitators, fundraisers, recruiters, foot soldiers or operatives and individuals influenced by and aspiring to support a terrorist organization. Like the organizations themselves, each role or position has specific funding requirements. Some funding characteristics for each role will be similar and some unique to each position and the individual needs of the terrorist actor. At least one commonality they would all likely share is the need to use the formal and informal financial systems to access and spend money. Financial institutions must assess the likelihood of dealing with individual terrorist actors in the roles previously mentioned and in what capacity that would be.

In most instances, when developing red flags or typologies for terrorist actors, financial institutions are inclined to use more generic red flags and not focus more granularly on warning signs for the different specific roles and responsibilities individual terrorist actors perform. Through case studies, law enforcement contacts, analysis of internal financial intelligence and external information sources, such as FATF terrorist financing typologies focused on individuals such as foreign fighters, financial institutions should develop customer profiles for each individual terrorist actor position. In addition, financial institutions should assess the likelihood of dealing with individuals in each possible role.

Emerging Terrorist Trends

Terrorist trends are driven by inherent and adaptive factors. Inherent factors include ideology and politics. They tend to be more static and predictable. The combination of ideology and the aspiration of a terrorist organization, coupled with the political environment in a country or region in terms of the political capacity, corruption and lack of governance, affords terrorist organizations opportunity and a safe haven for growth. Terrorist organizations leverage such opportunity with their adaptability. Adaptive factors include technology and counter-terrorist tactics. They are non-static and tend to continuously evolve. Terrorist organizations exploit and adapt to technology for propaganda, recruitment, fundraising and more. They also adapt to counterterrorism measures taken by the public and private sectors in order to avoid detection and to sustain their operations.

In the last few years, we have experienced the emergence of the Islamic State as the primary terrorist threat to Western nations. Their ability to establish a caliphate in large portions of Iraq and Syria, due to poor governance, allowed the Islamic State to gain strength and incredible wealth. Consequently, they were able to attract thousands of foreign fighters. While the caliphate was strong in 2015 and for the first half of 2016, the emerging and current trend was travel of radicalized jihadists to join the Islamic State as foreign fighters in the caliphate. The Islamic State also encouraged radicalized individuals, who could not travel, to commit terrorist acts at home. The al-Nusra Front, the al-Qaeda affiliate in Syria, also benefited from the influx of foreign fighters to the region. In the latter part of 2016 and into 2017, as the international focus against the Islamic State caused them to lose considerable territory and jeopardize their caliphate, the Islamic State called for recruits to stay home and commit terrorist acts in their home countries. As a result, the threat of homegrown violent extremists and returning foreign fighters has continued to evolve as a significant dangerous trend.

The recent emergence of homegrown violent extremists has led to the phenomenon of the leaderless terrorist model

The recent emergence of homegrown violent extremists has led to the phenomenon of the leaderless terrorist model. Instead of a command and control structure, where terrorist attacks are directed by the organization, the group (in this case the Islamic State) encourages homegrown violent extremists to commit a terrorist attack, where the opportunity presents itself, at the attacker’s discretion.

Funding Flows Terrorists Rely On

There are primarily three funding flows or funding streams terrorists rely on; however, there are many variations to the three funding flows that terrorists can follow. The key for them is having consistent access to funds at select intervals between the point of origin and the point of distribution.

The first funding flow is from the point of origin or source of funds to the organization. Amounts will range from small donations below $100 to revenue streams in the millions of dollars from business holdings, criminal activities, wealthy donors, state sponsors and other sources. This funding stream requires considerable bandwidth to move money.

The second funding flow is from the organization to support an operation. Amounts will generally run between $1,000, or lesser amounts, to multiple thousands of dollars. The money could be sent directly from a group leader or financier to a single jihadist or group of jihadists working together. The more likely scenario for money flowing from the organization to support an operation is to send it through a facilitator to the operative or group of operatives acting in concert. In this scenario, the thousands of dollars flowing from the organization to the facilitator will be further broken down by the facilitator into smaller increments to be forwarded on to the operatives. This would be a form of microstructuring, which could be extremely difficult to detect.

The third funding stream is the funding from the operation to the operatives. This funding stream ranges from hundreds to the low thousands of dollars, as previously described in the step between the facilitator and the operatives. The funding to the operatives would likely be spent in low increments to pay for a terrorist activity. This would represent the final disposition of funds.

The third funding stream, funding to the operatives, has taken on a new variation in the form of a reverse flow. Instead of the money flowing down from the organization, the money is being generated directly by the operatives through their employment income, government assistance, proceeds of criminal activity, family donations and other sources. Essentially, the operatives—mostly acting as aspiring foreign fighters or homegrown violent extremists—are responsible for the source of funds themselves, as opposed to the terrorist organization raising the money for them.

Coupling the differing types of terrorist actors with the multiple variations of the three primary funding streams, the magnitude of the terrorist landscape can become unwieldy and overwhelming.

Institutional Risk

With the overwhelming bandwidth involving terrorism, it is virtually impossible to develop and implement monitoring systems to identify the full gamut of terrorist financing. This is why identifying and assessing specific institutional risk is critically important. All financial institutions regardless of their size, location, products, services or business lines are vulnerable to terrorist exploitation. They are vulnerable to facilitating the funding needs of terrorist actors to include organizations and individuals.

The risks of being exploited by terrorist organizations will differ from the risk of dealing with terrorist operatives. In assessing your institutional risk for terrorist financing, you should evaluate your risks to measure both the likelihood of facilitating terrorist organizational activity and individual operative activity distinctly from each other. You must understand and visualize who you are dealing with and in what capacity. You should develop red flags and typologies that you are more likely to encounter within your institution. The risk categories you should review include geographies, customers, products, services, funding flow and distribution channels.

For terrorist organizations, you should determine which designated organizations pose a current terrorist threat. Based on the above risk categories, you should assess and rank the likelihood of your institution dealing with the different terrorist groups. You should assess the potential customer risk by developing a business model for the terrorist organization and assessing funding flows and distribution channels for potential touch points with your institution.

For individual operatives, you should develop potential scenarios for each of the roles a terrorist might engage in, including the responsibility of leader, facilitator, fundraiser, recruiter, foot soldier or operative, and an individual influenced by and aspiring to support a terrorist organization. Based on the risk categories, you should assess the likelihood that your institution would deal with individuals that fit these roles and responsibilities.

In light of the threat posed by foreign fighters and homegrown violent extremists, you should pay particular attention to the threats posed by individuals influenced and aspiring to support terrorist organizations. The FBI website possesses many case studies for foreign fighters and violent homegrown extremists. Another good source for individual case studies is the Investigative Project on Terrorism.

Placing the Terrorist Landscape in an AML Context

Depending on the size of your financial institution, you should build a dedicated team or designate one or more individuals to assess your specific institutional risk for facilitating terrorist financing. Financial institutions should consider building financial SWAT teams or Critical Incident Response teams, analogous to the law enforcement SWAT team concept, to deal with select AML challenges, such as terrorist financing. Regardless of resource constraints, financial institutions should dedicate resources to develop terrorist financing typologies and to respond to terrorist incidents or suspicious activity that could potentially identify terrorist financing.

Your Critical Incident Response team or designated terrorist financing resource should look at terrorism from an AML perspective and place the terrorist landscape in an AML context. This requires linking the threat, emerging trends, funding flows and risk together in a matrix, analytical report or terrorist financing assessment that can serve as the framework for building terrorist financing typologies specific to your institution.

For example, for the purpose of this article, a sampling from each of the four dimensions will be placed in context with each other to use as a framework to build institution-specific terrorist financing typologies. Please note that these are not all encompassing examples.

Hezbollah is the most dangerous terrorist organization in the world

Beginning with the terrorist threat environment, groups of significant concern include the Islamic State, al-Qaeda, al-Qaeda affiliates including the al-Nusra Front and al-Qaeda in the Arabian Peninsula (Yemen), the Taliban (Afghanistan), al-Shaabab, Boko Haram and Hezbollah. The Islamic State has branched out from Iraq and Syria to other parts of the world. They pose a significant threat to the U.S., Europe and many other countries. Although their caliphate may soon be destroyed, they will continue to operate as an insurgency and remain a serious threat. Al-Qaeda has quietly reconstituted itself and poses a significant threat. The Taliban in Afghanistan has gained control of more territory. In addition to raising funds by controlling drug trafficking, they are now raising considerable funds through taxation and extortion in the territory they control. Al-Shaabab operates from Somalia and continues to pose a regional and to a lesser degree global threat. Boko Haram operates in Nigeria and neighboring countries. They have pledged allegiance to the Islamic State and pose a regional threat. Hezbollah is the most dangerous terrorist organization in the world. They are primarily supporting Syria at this time. If they feel threatened by the West, they will pose a threat. Hezbollah is also the best organized crime family in the world. They possess a global infrastructure that supports their terrorist activities and their criminal enterprise.

From the standpoint of emerging terrorist trends, foreign fighters and homegrown violent extremists radicalized and recruited by the Islamic State, and to a lesser degree al-Qaeda, continue to be the major trend of concern. The Islamic State will likely lose its caliphate in Iraq and Syria within the next year. They will evolve into an insurgency group and will continue to strike out against the West through homegrown violent extremists and returning foreign fighters. They will use a leaderless terrorist model and encourage their followers to attack at their individual discretion. Al-Qaeda has quietly reconstituted itself and the core group will reemerge as a formidable threat. As they gain and hold more territory in Afghanistan, the Taliban will increase their wealth and consequently their strength and pose a greater threat to the shaky stability in Afghanistan.

When considering the funding flows terrorist actors rely on, we need to assess them at both the organizational and individual levels. This requires following the flow of funds though the three funding streams (organizational, operational and individual), and variations thereof. Terrorist actors must have consistent sources of funds and access to funds on an ongoing basis in order to sustain their organizations and operations. For each of the most significant terrorist groups identified that pose potential institutional risk of facilitation at the organizational and/or individual operative level, you should assess the three funding streams and the variations thereof, and visualize how they could flow through your institution.

The final analytical step is to assess your specific institutional risk against the threat, trends and funding flows. How are you affected by geographic risk domestically, regionally and/or globally? What steps can you take to know your customer risk and to assess which customers could be terrorists or terrorist supporters? This is where (from a terrorist group standpoint) you should assess the business model for the most significant terrorist groups. On an individual level, how do you know which customers could be terrorist actors in the role of leaders, facilitators, financiers, recruiters, foot soldiers or operatives, or aspirants, inspired by the Islamic State or other groups? This is where you need to build individual typologies for each role individual terrorist actors might engage in. These typologies can be built from red flags, such as from the FFIEC Manual, FATF guidance and case studies from sources like the FBI and Investigative Project. You should also assess the risk for products, services and business lines. In addition, when assessing these risk categories, you should consider and visualize your institutional risk for facilitating funding flows and distribution channels.


As evidenced in consideration of the scope of the threat environment, emerging trends, funding flows and institutional risk, we face a daunting task when it comes to identifying terrorist financing. There are no quick fixes or shortcuts from a financial institution standpoint. What is required is a meticulous, focused and forward thinking approach. We must methodically take generic and broad based red flags and warning signs and meticulously shape them into institution-specific risk indicators.

This requires understanding and commitment. We must understand the problem or threat and we must dedicate adequate resources to address the problem. To best meet this challenge, we must place the threat environment, emerging trends, financial flows and institutional risks into context with each other. Once the full context is assessed and placed in perspective and focus, we can more effectively and efficiently respond to the challenge. This will allow us to go from a reactive posture to developing proactive strategies.

Finally, in order to maximize the benefit of meaningful financial intelligence we must be forward thinking and innovative about exploiting the information. How can we most effectively improve efficiencies to develop timely and actionable financial intelligence? As an example, one of the biggest challenges we confront today is identifying homegrown violent extremists and foreign fighters. Most homegrown violent extremists have jobs and their customer profiles do not raise any suspicions until they are reported in negative media for committing or attempting to commit a terrorist act. Likewise, foreign fighters who successfully travel to Syria are gone before warning signs are detected. One way to deal more proactively with these challenges is to conduct a cluster analysis or behavioral analysis model whereby you group a set of objects in such a way that objects in the same group are more similar to each other. In addition to your base line transaction monitoring, another example of innovation is to take specific typologies and develop rules for targeted monitoring, where you are monitoring for more specific activity. These examples demonstrate that the more proactive and innovative we can be, the more possible and probable we can make it to identify terrorist financing.

Dennis M. Lormel, CAMS, internationally recognized CTF expert, president & CEO, DML Associates LLC, Lansdowne, VA, USA,

For more information on how to identify and mitigate terrorist financing, please visit

Leave a Reply