First Appearances can be Deceptive
So we will be considering Identification, Verification and CDD
Listen to an Ai conversation about this blog post.
Disclaimer: this post is not legal or regulatory advice but a lighthearted look at a fairytale through the context of AML. See our disclaimer page.
If you decide to listen to this Ai conversation you accept our disclaimer.
- Red Riding Hood_ An AML Cautionary Tale -1-.wav00:00
In the world of fairytales, danger often hides in plain sight. One of the most enduring examples of this is the story of Little Red Riding Hood—a tale of misdirection, deception, and ultimately, the failure to question what doesn’t quite feel right.
But beyond its bedtime-story charm lies a cautionary tale that AML professionals can learn from, particularly when it comes to identity theft, client due diligence (CDD), and the practical application of the Money Laundering Regulations 2017 (MLRs 2017).
This blog explores how Red Riding Hood’s experience offers real-world parallels to anti-money laundering (AML) risk assessments, focusing on how the ‘smell test’ and the ‘senses test’ can help regulated firms avoid being deceived by wolves in granny’s clothing.
The Setup: Identity Theft in the Cottage
In the story, Red Riding Hood arrives at her grandmother’s house only to find something... off. The person in the bed looks like her grandmother, but not quite:
🗣 “What big eyes you have!”
🗣 “What big ears you have!”
🗣 “What big teeth you have!”
Red notices the inconsistencies—but only after walking straight into the danger.
If this were a real-world scenario, she would have failed to verify the identity of the person she intended to visit.
The wolf, having stolen Granny’s identity, managed to impersonate a trusted individual and deceived the protagonist.
Identity Theft & Impersonation Risk under the MLRs 2017
Under the Money Laundering Regulations 2017, particularly Regulations 27–30, regulated entities are legally required to:
Verify the identity of clients, including beneficial owners (Regulation 28);
Assess the purpose and intended nature of the business relationship;
Take additional measures when dealing with high-risk circumstances, including when the client is not physically present.
Had Red Riding Hood been a regulated person conducting client onboarding, she would have been expected to identify and verify her client before proceeding. Had she conducted proper due diligence—perhaps asking for proof of Granny’s identity or noticing inconsistencies in the client's profile—she might have realised that something was very wrong.
The wolf’s deception mirrors common fraud and identity theft typologies, where criminals assume the identity of a legitimate person to gain access to services, financial products, or sensitive information.
This is where Enhanced Due Diligence (EDD) and a strong sense of professional scepticism become critical.
The “Smell Test” and the “Senses Test” – If It Doesn’t Feel Right...
In AML terms, when something doesn't look, sound, or feel quite right, it often isn’t. This is where both the smell test and the senses test become invaluable tools for compliance professionals.
The "smell test" asks: Does this pass the sniff test? Is there something fishy or unusual here?
The "senses test" is broader: Do the pieces fit together? Are there warning signs I’m ignoring?
In Red Riding Hood’s case, the wolf’s voice, face, and demeanour didn’t quite match Granny’s. But rather than pausing to reassess, Red ignores her instincts.
In real life, gut feeling—combined with policy and training—can be a powerful first line of defence in recognising financial crime.
Regulated firms are expected to take a risk-based approach, and that includes trusting trained intuition, especially when:
A client’s behaviour doesn’t align with their stated background;
Documents appear tampered with or too convenient;
There’s resistance to providing verifiable ID or clarifying the source of funds;
Information changes frequently without logical reason.
Client Due Diligence: More Than Just Ticking Boxes
Too often, CDD is approached as a formality, but the Red Riding Hood scenario is a powerful reminder that identity verification must be meaningful, not mechanical.
AML compliance requires a deep understanding of the client—not just who they are on paper, but how their circumstances, conduct, and claims stack up in practice.
Effective CDD includes:
- Verifying ID documents from independent, reliable sources;
- Cross-referencing with trusted databases (e.g., adverse media, PEPs, sanctions);
- Ensuring that the information provided is current, consistent, and logical;
- Asking, “Does this make sense for this client profile?”
In Red Riding Hood’s case, asking just one more question—"Why are you in bed with the curtains closed, wearing a bonnet and glasses?”—might have saved the day.
What If Red Riding Hood Was a Regulated Firm?
Let’s imagine Red Riding Hood is a regulated legal or financial services provider, and “Granny” is the client. Here’s how it would play out:
| AML Set Up | What Red Did | What could be considered |
| Client Identification | Visited on an assumption that the person there would be her granny | Verified identity via reliable documentation Confirm identity using Granny’s ID — passport, letters, or other documents she normally carries. Request certified copies of documents, certified by a suitable professional. Consider electronic identification verification and adverse media checks Red noticed: “What big eyes you have... what big teeth you have!” — warning signs she ignored. |
| CDD | Took the scenario at face value | Asked contextual questions, looked deeper Ask questions only Granny would know (e.g. family details, personal facts). Look for inconsistencies in physical appearance, voice, or behaviour. Don’t rely on assumptions or familiarity — verify, don’t just trust. Red failed to notice that “Granny” didn’t have her usual knitting, glasses, or voice tone. |
| Smell Test | Ignored the unusual signs | Raised internal suspicion alerts Consider if this interaction was expected or unusual. Why is Granny hiding under a blanket, in poor lighting, avoiding eye contact? Why has her appearance or behaviour changed? The Wolf’s urgency and odd behaviour should have raised alarm bells. Red failed the “smell test.” |
| Risk Assessment | Assumed no risk. Did not perform a risk assessment. Due to familiarity. | Undertake a client matter risk assessment. Risk assess the client. Flagged the high-risk situation Assess whether Granny’s behaviour aligned with previous interactions. Stay alert to changing risk factors — i.e., sudden shift in speech, body language, or refusal to provide proof. A client matter risk assessment is not a static document but a dynamic document. |
| Escalation | None | Just like in real AML cases, risk is not static — it evolves. The Wolf’s fraud was gradual, and Red missed or did not properly consider the changes. Document. Update the Client Matter Risk Assessment. Continue making inquiries. Internal Report to the MLRO. MLRO considering whether to Externally Report to NCA, other government agencies and the relevant regulator |
| Culture of Compliance | Red did not trust her instincts, and the Red Flags | Having a culture of compliances enables staff to trust their instincts, ask more questions, obtain 'second sight' and to refer the client and matter to the MLRO, and seeking their approval before proceeding. |
The Role of the MLRO and Governance
If Red had spotted the inconsistencies and reported them internally, the MLRO (Money Laundering Reporting Officer) could have stepped in, performed further checks, and potentially prevented the “client” from proceeding.
This highlights the importance of internal reporting lines, governance, and a culture where employees are encouraged to speak up when something feels off. The wolf’s scheme was successful because no one challenged the inconsistencies early on.
Lessons for AML Compliance Professionals
The tale of Red Riding Hood isn’t just a children’s story—it’s a perfect case study in how not to approach client due diligence. In a regulated setting, the consequences of failing to verify identity can be severe, including:
Breaches of MLRs 2017, particularly Regulations 28 and 33;
Potential enforcement action and civil or criminal liability.
Always Remember:
If it doesn’t feel right, it probably isn’t.
Ask questions—don’t accept surface-level answers.
Use your senses. Use your judgment. Use your training.
Final Thought:
In a world where financial criminals wear many disguises, AML professionals must be ready to see through the costume. Whether it’s a wolf in a bonnet or a fraudster behind forged documents, the principle remains the same: don’t ignore the red flags.
Because in AML, just like in fairytales, the danger is often sitting in plain sight—grinning, with very big teeth.
Sources:
Inspiration - Red Riding Hood Fairy Tale
Regulation 27 - Customer Due Diligence
Regulation 28 - Customer Due Diligence Measures
Regulation 29 - Additional Customer Due Diligence Measures (Financial Institutions)
Regulation 30 - Timing of Verification
Regulation 33 - Obligation To Apply Enhance Customer Due Diligence
Use your senses. Use your judgment. Use your training.