Harmonising AML Attributes for Effective Financial Crime Prevention

Proposing the development of a STIX-AML extension built on the Structured Threat Information Expression (STIX) framework.

The fight against financial crime in the European Union—whether money laundering, fraud, or other illicit financial activities—is becoming increasingly complex. It relies on a wide variety of data sources, from identity documents and transaction histories to sanctions lists and politically exposed person (PEP) databases. Frameworks such as Anti-Money Laundering (AML), Know Your Customer (KYC), and Know Your Business (KYB) are all critically dependent on this data. However, the fragmented and often unstructured nature of these data sources presents significant obstacles to effective risk analysis, cross-border cooperation, and automation. This leaves financial institutions and regulators vulnerable to increasingly sophisticated threats.

It is important to acknowledge upfront that while standardising and sharing AML-related data is essential to tackling financial crime, there are also legitimate legal and privacy concerns surrounding data sharing. These challenges are primarily within the remit of lawmakers and regulators to resolve. Our role here is to propose technical and structural solutions that support more effective financial crime prevention, within whatever legal frameworks may be established.

Real-World Impacts and Supervisory Gaps

Recent audits across EU member states have exposed serious gaps in AML supervision, underscoring the need for a harmonised and interoperable data approach. In Sweden, five individuals were recently convicted of laundering hundreds of millions of Swedish kronor through local companies, with the funds ultimately benefiting a global criminal network. The court described the operation as an attack on the Swedish tax system, highlighting the international dimension of such crimes.

Similarly, an €18 million VAT fraud scheme was uncovered involving the importation of textiles, shoes, and toys from China via the port of Piraeus in Greece, with Italy as the primary destination. This operation exploited regulatory gaps across EU borders, allowing traders to fraudulently claim VAT refunds in one country while disappearing in another. These examples demonstrate how criminals exploit inconsistencies and jurisdictional fragmentation within the EU.

Weaknesses in Supervisory Frameworks

The deficiencies in AML supervision across the EU are multifaceted. Supervisory practices vary significantly between member states, resulting in uneven enforcement and oversight. Limited inspection coverage means that illicit activity can easily go undetected, particularly among smaller or less-regulated entities.

Poor data quality in company registers and knowledge gaps within supervised entities add further complexity to investigations. In Sweden, the National Audit Office (Riksrevisionen) criticised both the government and the Financial Supervisory Authority (Finansinspektionen) for insufficient efforts to combat money laundering. Their report found that companies under investigation can often escape scrutiny simply by ceasing operations and restarting under a new name—forcing authorities to close cases prematurely. These kinds of loopholes undermine oversight and create opportunities for criminal networks to operate with impunity.

The Need for Standardized AML Attributes

The absence of a harmonized, machine-readable AML data model slows information sharing and detection of cross-border crimes. Fraud, involving direct deception (e.g., phishing), differs from money laundering, which obscures illicit funds through complex methods like shell companies. Standardized AML attributes would improve coordination, detection, and compliance with EU directives (AMLD5, AMLD6) and FATF standards.

A harmonized framework covering identity and behavioral data (e.g., customer credentials, transaction patterns, risk indicators) would enable consistent data collection and analysis. This reduces collaboration friction, enhances detection accuracy, and supports automation, minimizing financial and reputational damage. It bridges gaps between fraud, cybersecurity, and compliance teams, streamlining investigations and reducing false positives.

Standardized data improves transaction monitoring, simplifies Suspicious Activity Reports (SARs), and enhances collaboration with networks like FS-ISAC. Moving from reactive monitoring to proactive, intelligence-led risk management, a unified model supports real-time pattern recognition, addressing emerging threats like synthetic identities and cyber-enabled laundering.

STIX-AML Extension for Structured Risk Intelligence

To support this shift, we propose the development of a STIX-AML extension built on the Structured Threat Information Expression (STIX) framework. This extension would introduce new data structures—such as x-suspiciousactivities, x-kycindividual, and x-kybbusiness—to represent AML, KYC, and KYB attributes in a machine-readable, structured format.

These attributes might include transaction patterns, risk scores, beneficial ownership, and more. The use of STIX ensures interoperability with existing cyber threat intelligence platforms while addressing the specific needs of financial compliance. In the future, STIX-AML could integrate tools like blockchain analytics to track cryptocurrency-related activity and support broader community-driven standards adoption.

As financial crime and cybercrime continue to converge, harmonising AML intelligence is no longer just a technical ambition—it’s a strategic imperative. Stakeholders across the public and private sectors are encouraged to contribute to this effort.

To join the initiative or explore the technical roadmap, visit our contact page or email reachout@njordium.com.

Read the full STIX-AML Extension proposal, download here.

Njordium (2025). STIX-AML Extension Proposal.