AML Blog Series - Fairytales and Financial Crime
In the world of fairytales, danger often hides in plain sight. One of the most enduring examples is the story of Little Red Riding Hood — a tale of misdirection, deception, and ultimately, the failure to question what doesn't quite feel right. But beyond its bedtime-story charm lies a cautionary tale that AML professionals can learn from, particularly when it comes to identity theft, client due diligence (CDD), and the practical application of the Money Laundering Regulations 2017 (MLRs 2017)
This blog explores how Red Riding Hood's experience offers real-world parallels to anti-money laundering (AML) risk assessments, focusing on how the 'smell test' and the 'senses test' can help regulated firms avoid being deceived by wolves in granny's clothing.
- Red Riding Hood_ An AML Cautionary Tale -1-.wav00:00
In the world of fairytales, danger often hides in plain sight. One of the most enduring examples of this is the story of Little Red Riding Hood—a tale of misdirection, deception, and ultimately, the failure to question what doesn’t quite feel right.
But beyond its bedtime-story charm lies a cautionary tale that AML professionals can learn from, particularly when it comes to identity theft, client due diligence (CDD), and the practical application of the Money Laundering Regulations 2017 (MLRs 2017).
This blog explores how Red Riding Hood’s experience offers real-world parallels to anti-money laundering (AML) risk assessments, focusing on how the ‘smell test’ and the ‘senses test’ can help regulated firms avoid being deceived by wolves in granny’s clothing.
We See You
Running a Small Law Firm Is Hard Enough Without AML Keeping You Up at Night
You didn't qualify as a solicitor to spend your evenings deciphering the Money Laundering Regulations 2017. You built your firm to serve clients, win cases, and grow a practice you're proud of.
But the regulatory landscape doesn't care about that. The Solicitors Regulation Authority does. And the financial criminals circling your client list certainly do.
The External Problem
AML regulations are complex, constantly evolving, and carry serious penalties for non-compliance.
The Internal Problem
You're not sure if your current processes are actually good enough — and that uncertainty is exhausting.
The Philosophical Problem
You shouldn't have to choose between running your firm and protecting it. There's a better way.
You are not the problem. The wolf at the door is. And the Truth is you will need to learn how to deal with wolves. We can support you.
Alexander Christian - And the Wolf
We are based in London and are your local support system.
At Alexander Christian, we are a London-based Law Firm and Business Consultancy with an understanding of Anti-Money Laundering compliance. We work exclusively with small law firms, because we know that your challenges are not the same as a Magic Circle firm with a 20-person compliance team.
We've here to help you:
- Navigate AML audits
- Review you CDD and EDD frameworks
- Work with your MLROs
The Crime Scene
The Setup: Identity Theft in the Cottage
Let's set the scene. Red Riding Hood arrives at her grandmother's house - a place she knows well, a person she trusts implicitly. But something is unmistakably off. The person in the bed looks like her grandmother, but not quite. The voice is wrong. The proportions are exaggerated. The whole picture just doesn't add up.
🗣 "What big eyes you have!"
🗣 "What big ears you have!"
🗣 "What big teeth you have!"
Red notices the inconsistencies - but only after walking straight into the danger. She doesn't pause. She doesn't verify. She doesn't cross-reference what she's seeing with what she knows to be true. Instead, she proceeds on assumption alone. And that assumption nearly costs her everything.
If this were a real-world scenario within a regulated firm, Red would have failed at the most fundamental level: she did not verify the identity of the person she intended to engage with. The wolf, having stolen Granny's identity - her clothes, her bed, her home - managed to impersonate a trusted individual and deceive the protagonist entirely. It's a textbook case of identity fraud, dressed up in a nightcap and spectacles.
The parallel to financial crime is striking. Every year, criminals assume the identities of legitimate individuals to gain access to financial products, professional services, and sensitive information. They exploit trust, familiarity, - most dangerously - the tendency of busy professionals to take things at face value. Red Riding Hood's cottage is, in many ways, the client onboarding room. And the wolf? He's the client who isn't quite who they claim to be.
The Crime
Identity Theft & Impersonation Risk under the MLRs 2017
The Money Laundering Regulations 2017 exist precisely to prevent situations like the one Red Riding Hood found herself in — situations where a person or entity is not who they claim to be, and where the consequences of failing to check can be severe. Under Regulations 27–30, regulated entities are subject to clear and non-negotiable legal obligations when it comes to client identification and verification.
Key Legal Obligations
Regulated firms must, as a matter of law:
- Verify the identity of clients, including beneficial owners, using reliable and independent sources (Regulation 28)
- Assess the purpose and intended nature of the business relationship — understanding not just who the client is, but why they are engaging your services
- Take additional measures when dealing with high-risk circumstances, including when the client is not physically present or when there are grounds for suspicion
- Apply ongoing monitoring throughout the lifecycle of the business relationship, not merely at the point of onboarding
Had Red Riding Hood been a regulated person conducting client onboarding, she would have been expected to identify and verify her client before proceeding any further. Had she conducted proper due diligence - perhaps asking for proof of Granny's identity, requesting a second form of identification, or simply noticing the glaring inconsistencies in the client's profile - she might have realised that something was very wrong before she sat down at the bedside.
The Wolf's Playbook
The wolf's deception mirrors common fraud and identity theft typologies encountered by compliance professionals daily:
- Assuming the identity of a legitimate, trusted person
- Using stolen personal information to gain access
- Exploiting the victim's familiarity and trust to bypass scrutiny
- Creating urgency to prevent deeper questioning
This is precisely where Enhanced Due Diligence (EDD) and a strong sense of professional scepticism become not just useful, but critical.
Hunches
The "Smell Test" and the "Senses Test"
If It Doesn't Feel Right, It Probably Isn't
In AML compliance, there's a well-known informal principle that underpins much of practical risk assessment: when something doesn't look, sound, or feel quite right, it often isn't. This is where both the smell test and the senses test become invaluable - and underused - tools for compliance professionals working on the front line.
The "Smell Test" 👃
Does this pass the sniff test? Is there something fishy or unusual here?
This is your first instinctive reaction. It's the moment you look at a client file, a transaction, or a piece of documentation and something feels off — even if you can't immediately articulate why. The smell test is about trusting that initial professional instinct, honed through training and experience.
The "Senses Test" 👁️
Do the pieces fit together? Are there warning signs I'm ignoring?
The senses test is broader and more analytical. It asks you to step back and look at the full picture. Does the client's stated background match their behaviour? Do the documents align with the narrative? Is the source of funds consistent with the client's profile? It's about deploying all your faculties — sight, sound, and judgment.
In Red Riding Hood's case, the wolf's voice, face, and demeanour didn't quite match Granny's. The eyes were too large. The teeth were too sharp. The whole presentation was, frankly, alarming. But rather than pausing to reassess — rather than stepping back and saying, "Hold on, this doesn't add up" - Red ignores her instincts and proceeds.
In real life, gut feeling - combined with policy and training - can be a powerful first line of defence in recognising financial crime. Regulated firms are expected to take a risk-based approach, and that includes trusting trained intuition, especially when:
➤ Behaviour Mismatch
A client's behaviour doesn't align with their stated background, profession, or expected transaction patterns.
➤ Suspicious Documentation
Documents appear tampered with, inconsistent, or too conveniently packaged - as if designed to avoid scrutiny rather than withstand it.
➤ Resistance to Verification
There's reluctance or outright resistance to providing verificable ID, clarifying the source of funds or answering reasonable questions.
➤ Shifting Information
Information changes frequently without logical reason - names, addresses, beneficial ownership structures that seem to be in constant flux.
Checks
Client Due Diligence: More Than Just Ticking Boxes
Here's the uncomfortable truth that too many regulated firms still need to hear: CDD is not a box-ticking exercise. Too often, client due diligence is approached as a formality - a series of fields to complete, documents to scan, and checkboxes to mark before moving on to the "real" work. But the Red Riding Hood scenario is a powerful reminder that identity verification must be meaningful, not mechanical.
AML compliance requires a deep understanding of the client - not just who they are on paper, but how their circumstances, conduct, and claims stack up in practice. A passport scan is not due diligence. A utility bill is not verification. These are components of a process that must be far more rigorous, contextual, and intellectually honest.
❶
Verify from Independent Sources
ID documents must be verified from independent, reliable sources. Don't rely solely on what the client provides — seek corroboration from external databases, government registers, and electronic verification services.
❷
Cross-Reference Thoroughly
Cross-reference client information with trusted databases — adverse media screening, PEP lists, sanctions registers, and company filings. Look for connections, discrepancies, and patterns that don't fit the stated narrative.
❸
Test for Consistency
Ensure that the information provided is current, consistent, and logical. Does the client's stated income match their transaction profile? Does their business structure make commercial sense? Do the beneficial owners add up?
❹
Ask the Critical Question
Always ask: "Does this make sense for this client profile?" If the answer is no — or even "maybe not" — you have a professional obligation to dig deeper before proceeding.
In Red Riding Hood's case, asking just one question - 'Why are you in bed with the curtains closed, wearing a bonnet and glasses?" - might have saved the day. In compliance, that one additional question can be the difference between catching fraud and facilitating one.
But What Could've Been
What If Red Riding Hood Was a Regulated Firm?
Let's put this into sharper focus. Imagine Red Riding Hood is a regulated legal or financial services provider, and "Granny" is the client walking through the door. How would the fairytale unfold against the framework of proper AML compliance? The contrast between what Red actually did and what she should have done is both instructive and, frankly, a little alarming.
| AML Set Up | What Red Did | What should have happened | What could be considered |
|---|---|---|---|
| Client Identification | Visited on assumption alone - assumed the person in the bed was Granny | Verified identity via reliable, independent documentation | Confirm identity using Granny’s ID — passport, letters, or other documents she normally carries. Request certified copies of documents, certified by a suitable professional. Consider electronic identification verification and adverse media checks Red noticed: “What big eyes you have... what big teeth you have!” — warning signs she ignored. |
| CDD | Took the scenario at face value without questioning | Asked contextual questions and looked deeper into inconsistencies | Ask questions only Granny would know (e.g. family details, personal facts). Look for inconsistencies in physical appearance, voice, or behaviour. Don’t rely on assumptions or familiarity — verify, don’t just trust. Red failed to notice that “Granny” didn’t have her usual knitting, glasses, or voice tone. |
| Smell Test | Noticed unusual signs but ignored them entirely | Raised internal alerts immediately - for further scrutiny | Consider if this interaction was expected or unusual. - Why is Granny hiding under a blanket, in poor lighting, avoiding eye contact? - Why has her appearance or behaviour changed dramatically? - The Wolf’s urgency and odd behaviour should have raised alarm bells. Red failed the “smell test.” |
| Risk Assessment | Assumed no risk due to familiarity — no assessment conducted | Undertake a client matter risk assessment. | Assess whether behaviour aligned with previous interactions. Stay alert to changing risk factors. Remember: risk assessments are dynamic, not static. |
| Escalation | None whatsoever | Documented concerns and escalated to the MLRO | Document findings. Update the Client Matter Risk Assessment. Report internally to the MLRO. MLRO considers whether to report externally to the NCA and relevant regulators. |
| Culture of Compliance | Did not trust her instincts, and ignored the Red Flags | Operated within a culture that empowers staff to question and escalate | A compliance culture enables staff to trust their instincts, ask more questions, obtain 'second sight', and refer matters to the MLRO before proceeding. |
The lesson here is clear. At every single stage of the AML framework, Red Riding Hood made the wrong call - not because she lacked the information, but because she failed to act on it. The red flags were waving. She simply chose not to see them.
Ignoring what was in Plain Sight
The Red Flags Red Missed
Let's be specific about what went wrong. Red Riding Hood didn't just make one mistake — she missed a cascade of warning signals that, in a regulated environment, should have triggered immediate concern and escalation. Here's what she noticed but chose to overlook:
👀 "What Big Eyes You Have!"
The client's physical appearance didn't match the known profile. In AML terms, this is the equivalent of a client presenting documentation that doesn't align with their stated identity — photographs that don't match, signatures that differ, or biometric data that raises questions. Red saw the discrepancy and commented on it, but didn't act.
👂 "What Big Ears You Have!"
The voice was wrong. The manner of speech was different. In a client relationship, this maps to behavioural inconsistencies — a client who suddenly communicates differently, whose tone or approach shifts without explanation, or who appears to be coached in their responses. These are classic indicators of impersonation or third-party control.
🦷 "What Big Teeth You Have!"
The final, most dangerous red flag — the one that directly preceded the attack. By this point, the evidence was overwhelming. In compliance terms, this is the moment when a reasonable professional should have concluded that the risk was unacceptable and disengaged immediately. Instead, Red stayed. And the wolf pounced.
The tragedy of Red Riding Hood — and the tragedy repeated in compliance failures across the regulated sector — is not that the red flags weren't visible. They were. The tragedy is that they were seen, acknowledged, and then systematically ignored. In AML, ignoring red flags isn't just a mistake. It can be a criminal offence.
Document it - Report It
The Role of the MLRO and Governance
If Red had spotted the inconsistencies and reported them internally, the MLRO (Money Laundering Reporting Officer) could have stepped in, performed further checks, and potentially prevented the “client” from proceeding.
This highlights the importance of internal reporting lines, governance, and a culture where employees are encouraged to speak up when something feels off. The wolf’s scheme was successful because no one challenged the inconsistencies early on.
What Should Have Happened
Red identifies the warning signs. She pauses. She documents her concerns. She escalates internally to the MLRO, who has the authority, training, and wider perspective to assess the situation objectively.
The MLRO performs further checks, reviews the evidence, and determines whether:
- The business relationship should continue
- A Suspicious Activity Report (SAR) should be filed with the NCA
- Other government agencies or the relevant regulator should be notified
- The firm should disengage entirely
Why Governance Matters
The wolf's scheme was successful for one simple reason: no one challenged the inconsistencies early on. There was no second pair of eyes. No escalation pathway. No governance framework that would have caught what Red missed — or, more accurately, what Red chose to overlook.
This highlights the critical importance of:
- Internal reporting lines — clear, accessible, and free from fear of reprisal
- Robust governance structures — where the MLRO has genuine authority and independence
- A culture where employees are encouraged to speak up when something feels off, however small or seemingly insignificant
- "Second sight" review processes — where another trained professional reviews high-risk or unusual matters before they proceed
The lesson is straightforward: compliance is not a solo endeavour. Even the most diligent professional can be deceived. The system exists to catch what individuals might miss.
What are the 3 Pillars?
Lessons for AML Compliance Professionals
The tale of Red Riding Hood isn't just a children's story — it's a perfect case study in how not to approach client due diligence. In a regulated setting, the consequences of failing to verify identity, ignoring red flags, and proceeding without proper risk assessment can be severe and far-reaching.
⚖️
Regulatory Breach
Breaches of the MLR 2017, particularly Regulation 28 (CDD measures) and Regulation 33 (obligation to apply enhanced CDD)
⚠️
Enforcement Action
Potential enforcement action from the relevant supervisory authority, including fines, public sensure, and restrictions on practice
🛡️
Criminal Liability
Potential civil or criminal liability for individuals and firms
The Three Pillars
These three principles form the bedrock of effective AML compliance. They are not complex. They are not revolutionary. But they are, time and again, the principles that are ignored when things go wrong. Red Riding Hood had the instincts. She had the observations. What she lacked was the discipline to act on them.
Final Thought: Don't Ignore the Red Flags
In a world where financial criminals wear many disguises, AML professionals must be ready to see through the costume. Whether it's a wolf in a bonnet or a fraudster behind forged documents, the principle remains the same: don't ignore the red flags.
Because in AML, just like in fairytales, the danger is often sitting in plain sight — grinning, with very big teeth.
The story of Red Riding Hood endures because it speaks to something universal: the tension between what we see and what we choose to believe.
In the regulated sector, that tension is not merely a narrative device — it's a compliance risk. Every client interaction is an opportunity to get it right.
Every red flag is a chance to prevent harm. Every instinct is a tool, sharpened by training and experience, waiting to be used.
Use your senses. Use your judgment. Use your training.
3 Steps to Improving your Compliance Journey
Three Steps to AML Confidence
❶
Book a Confidential Consultation
❷
We Review, Challenge and Support
We cast an independent eye over your existing AML controls, policies and procedures. We identify gaps, challenge assumptions, and provide honest, objective feedback — giving you a clear picture of where you stand and what needs attention.
❸
Helping you Transform your Compliance
The Cost of Inaction
Red Was Too Close to See It. Are You?
Red Riding Hood walked into that cottage with complete confidence. She knew the path. She knew the house. She knew her grandmother. She had done this journey a hundred times before.
And that familiarity was exactly what the wold was counting on.
Red wasn't foolish. She wasn't untrained. She was simply too near to the problem to see it clearly. She wanted everything to be fine. She was willing - perhaps unconscioulsy to acquiense to the answers she was given, because the alternative was too uncomfortable to consider.
In her reality, in this fairytale, her grandmother was already gone. And she was moments away from being consumed.
This is what proximity does. It creates blind spots. It breeds assumptions. It mistakes familiarity for safety.
In a small law firm, the same dynamic plays out every day. You know your clients. You trust your processes. You've been doing this for years. And that very closeness - that confidence - can be the thing that stops you seeing what an outsider would spot immediately or at least question.
A fee earner who onboards the same type of client repeatedly stops asking the difficult questions. An MLRO who built the firm's CDD policy finds it hard to audit it objectively. A partner who has know a client for a decade struggles to apply enhanced due diligence with fresh eyes.
You cannot be both inside and outside at the same time.
The Cost of Staying Too Close
- Missing red flags that an independent reviewer would catch immediately
- CDD processes that look right on paper but fail in practice
- An MLRO reviewing their own work without independent challenge
- SRA audit findings that could have been identified — and fixed — in advance
- Enforcement action, fines, and reputational damage that no firm recovers from quickly
What Independent Second Sight Provides
- A fresh pair of eyes with no stake in the outcome
- Honest, objective assessment of your AML controls against the MLRs 2017
- Challenge and support for your MLRO — without compromising their authority
- Identification of blind spots before the regulator finds them
- The confidence that comes from knowing someone independent has reviewed your work
Using an external AML consultant like Alexander Christian has advantages.
Independence is not a luxury it is a necessity.
Don't wait for the Wolf - Book your Consultation Today!
Sources:
Inspiration - Red Riding Hood Fairytale
Money Laundering Regulations
Regulation 27: Customer Due Diligence
Regulation 28: Customer Due Diligence Measure
Regulation 29: Additional Customer Due Diligence Measures (Financial Institutions)
Regulation 30: Timing for Verification
Regulation 33: Obligation to apply Enhanced Customer Due Diligence
Tip: 3 Pillars: Use your senses. Use your judgment. Use your training.
