Skip to content
All issues

FinCrime Intelligence Weekly

Issue №7 · Jul 6 – 12, 2026

INTERPOL blocks 31,014 mule accounts in a 97-country fraud sweep, OFAC revokes Iran General License X with ten days to wind down, and the EU beneficial ownership deadline arrives.

FinCrime Intelligence Weekly - Issue 7: The rules moved, the money did not stop
MB

Marco’s Take

Marco Beranzoni

Welcome to Issue 7 of FinCrime Intelligence Weekly. Facts sourced, actions named, no filler. Here is what changed last week and what to do about it this week.

Every story this week is a rule moving under someone’s feet. OFAC pulled Iran General License X six weeks before it was due to expire and left ten days to wind down. The EU’s beneficial ownership deadline arrived, and the register you used to query is now one you have to apply to. AMLA’s customer due diligence rulebook will bind directly, with no national transposition to soften it. And the UK narrowed its enhanced due diligence trigger, though not nearly as far as the headline suggests.

Then INTERPOL published the other half of the picture. Operation First Light blocked 31,014 bank accounts and made 5,811 arrests across 97 countries. Blocked accounts outnumbered arrests by more than five to one, which tells you where the volume sits, and where your controls actually touch this. The rules kept moving. So did the money.

So here is the small, uncomfortable task for this week. Take the one permission or rule your business quietly relies on: a general licence, an enhanced due diligence carve-out, a register lookup that has always worked. Ask who checks whether it still holds, and how fast they would know if it did not. If the honest answer is nobody, that is not a compliance gap. It is an operating risk.

See you next Monday.

Marco

The 5 stories that matter

Regulatory Radar

What changed this week, why it matters, and what to do about it.

US

Beyond the Iran General License X revocation, OFAC issued a further set of actions on 10 July 2026: Iran-related and counter-terrorism designations with a new Iran-related general license, a Democratic Republic of the Congo related general license, and sanctions list updates with an amended Russia-related general license.

Why it matters:The designation and licensing cadence is effectively weekly, and licences are moving as fast as the lists. A team that reads designations but not general licences is watching half the change.

Action:Confirm your SDN (specially designated national) refresh runs at least daily, and add general licence changes to the same change-control process you use for designations.

EU

AMLA (the EU Authority for Anti-Money Laundering) issued a consultation paper on 2 July 2026 on draft implementing technical standards specifying the format for reporting suspicions and providing transaction records under the Anti-Money Laundering Regulation. Its separate consultation on the ongoing-monitoring guidelines closes on 3 September 2026.

Why it matters:A reporting format is a data problem before it is a policy problem, and it lands on the systems team. The monitoring guidelines set the supervisory baseline for transaction monitoring.

Action:Put the reporting-format consultation in front of your systems team now, and file a comment on the monitoring guidelines before 3 September.

UK

The FCA (Financial Conduct Authority) published policy statements on 30 June 2026 setting out its final rules and guidance for the UK regulatory regime for cryptoassets.

Why it matters:The UK crypto regime is now defined, and firms that have been operating ahead of the rules have a finite window to align.

Action:If you are a cryptoasset firm or you bank one, read the final rules against your current permissions and controls, and map the gaps this quarter.

Global

The European Union and the United Arab Emirates concluded the ninth EU and UAE Structural Dialogue on anti-money laundering and countering the financing of terrorism on 9 July 2026.

Why it matters:Structural dialogues tend to precede supervisory and information-sharing changes. For firms with Gulf corridors, the direction of travel is closer alignment and more information exchange.

Action:If you carry UAE exposure, watch for follow-on supervisory expectations and make sure your correspondent due diligence on that corridor is current.

Typology of the week

Scam proceeds through mule accounts and the crypto conversion step

How it works

A victim is cultivated through a romance, investment, impersonation, or business email compromise approach, then instructed to pay a beneficiary account. That account is the mule layer. It is often recently opened, receives many small inbound payments from unrelated payers, and forwards the funds within hours. The money then leaves the banking system: it is converted into cryptocurrency and moved through cross-chain swaps, which break the trail before an analyst opens the alert. INTERPOL's Operation First Light 2026 shows the shape of it. Across 97 countries, police blocked 31,014 bank accounts and made 5,811 arrests, and INTERPOL described one Thai suspect whose digital wallet processed over USD 122.5 million in 10 months, converting romance scam proceeds into cryptocurrencies using cross-chain token swaps. The mule layer is the part a bank actually controls. The conversion step is where its visibility usually ends.

Red flags

  • A recently opened account receiving many small inbound payments from unrelated payers, then forwarding them within hours.
  • Shared device fingerprints, shared phone numbers, or reused identity documents across customers who claim no connection.
  • A bank-to-exchange transfer from an account with no prior cryptoasset history.
  • Inbound payments whose payers later file fraud reports, with the beneficiary account never reviewed.
  • Rapid conversion into cryptocurrency followed by cross-chain movement shortly after funds settle.

Sectors exposed

Retail banks and payment firms holding beneficiary (mule) accounts Cryptoasset exchanges and virtual-asset service providers at the conversion step Electronic money institutions and neobanks with fast onboarding Correspondent banks carrying scam-corridor flows

Controls to review

  • Mule-account detection: do you score recently opened accounts on inbound payer diversity and forwarding speed, not just on value?
  • Fraud to AML handoff: does a confirmed victim payment automatically open a review of the beneficiary account?
  • Conversion-step monitoring: do you flag first-time bank-to-exchange transfers, and does your analytics provider handle cross-chain swaps?
  • Freeze time: how many hours pass between your first alert and an account block, and do you measure it?

Example

A newly opened current account receives forty small payments from unrelated individuals over three days and forwards the balance to a cryptoasset exchange within hours of each credit. No single payment breaches a monitoring threshold. Weeks later, several payers file fraud reports. Only inbound-payer diversity, forwarding speed, and a fraud to AML handoff surface the account before the funds convert and bridge away. This is illustrative of a documented method, not a specific real case.

Enforcement Watch

Recent actions and the control lessons behind them.

  • The mule layer is where the bank actually touches the scam economy

    INTERPOL (Operation First Light 2026)

    Control failure:Across 97 countries, the operation blocked 31,014 bank accounts and made 5,811 arrests. Blocked accounts outnumbered arrests by more than five to one. The accounts sat in banks, and many were only identified after the money had already moved on.

    Lesson:Arrests happen abroad and depend on other people. Account blocks depend on your detection and your speed. Score beneficiary accounts on inbound-payer diversity and forwarding velocity, wire a confirmed fraud payment to open an AML review of the beneficiary automatically, and start measuring the hours from first alert to block.

  • A general licence is a permission with an expiry, not a standing right

    OFAC (Iran General License X)

    Control failure:GL X broadly authorised transactions in Iranian crude oil, petroleum, and petrochemical products, and was valid through 21 August 2026. OFAC revoked it in its entirety on 7 July 2026 and left a wind-down running only to 12:01 am EDT on 17 July. Any firm that could not say which exposures sat under the licence lost the time it needed.

    Lesson:Track every general licence your business relies on, its stated expiry, and the exposures underneath it, in a field you can query. A licence revoked mid-term is not an edge case. It is the reason licence change control belongs next to designation screening, not in a policy folder.

Crypto, Fraud & AI

The conversion step is where your visibility ends

INTERPOL described a single digital wallet that processed over USD 122.5 million in 10 months, converting romance scam proceeds into cryptocurrencies using cross-chain token swaps. That is the step most bank monitoring never sees. Once funds leave a mule account for an exchange, and then bridge across chains, the trail an analyst can follow usually stops. The control response is to move detection upstream, to the bank-to-exchange transfer from an account with no prior cryptoasset history, and to ask your chain analytics provider directly how it handles cross-chain swaps. Treat the answer as a coverage question, not a sales question.

An RTS binds directly, with no waiting room

Compliance teams trained on directives have learned to wait for the national regulator's implementing guidance before touching a procedure. AMLA's customer due diligence regulatory technical standard removes that habit. Once the European Commission adopts an RTS, it applies directly across member states, with no transposition to soften it. What the final text says about the information necessary for customer due diligence is what supervisors will expect to find in the file, in every member state, at the same time. Read the draft against your onboarding data fields now, while it is still a draft you can comment on.

Career & Skills Corner

Learn to read a deregulation for the duty it leaves behind

The UK amendment is the best training exercise a financial crime professional will get this year. On its face it relaxes enhanced due diligence, narrowing the trigger from all complex transactions to unusually complex arrangements, and making it automatic only for the three countries on the FATF Call for Action list. Read HM Treasury's guidance alongside it and the duty survives wherever a high risk is identified in a high-risk third country. The rule got smaller. The obligation did not. That gap is where careers are made and lost. The skill is to read any relaxation twice: once for what it removes, and once for what it leaves standing. Take the amendment, put it beside your own policy, and answer three questions in writing. What automatic trigger has actually gone? What risk-based duty remains? And what, specifically, does my firm now mean by unusually complex? Whoever answers that third question is setting the firm's due diligence perimeter, and it should be someone who has thought about it, not someone who inherited a default. Do that exercise and you will have a document your supervisor, your board, and your auditor all want. More than that, you will have the habit that stops a deregulation becoming a control failure.

What I’m watching next week

Four things are on my desk. First, the GL X1 wind-down closes at 12:01 am EDT on 17 July, and I expect the first questions about what firms booked in the gap to follow quickly. Second, I am watching the European Commission's adoption step on AMLA's customer due diligence standard, because that is when a draft becomes a rule. Third, I want to see how the beneficial ownership registers actually behave in practice now the deadline has passed, member state by member state. And fourth, whether the FATF fraud roadmap and results like INTERPOL's Operation First Light start turning into supervisory expectations on mule-account detection.

Want to do this for a living?

Turn this weekly intelligence into a career. Marco’s AML & Financial Crime course takes you from curious to hireable.

AML & Financial Crime course →