The Strait of Hormuz and the State of AML/CFT Compliance

On 7 April 2026, President Donald Trump tweeted that “a whole civilization will die tonight,” raising fears of unprecedented global escalation and placing the Strait of Hormuz at the centre of the world’s attention. Notwithstanding the two-week ceasefire brokered by Pakistan on 8 April 2026, the Strait remained far from open; with Iran controlling vessel traffic and imposing tolls on them, and followed by the US Navy imposing a naval blockade. Regardless of how this conflict unfolds, it has already disrupted global energy markets, strained diplomacy, and caused cascading effects on economies and livelihoods, including in Southeast Asia. In my home country, Malaysia, the ripple effects were already visible. The Malaysian government rolled out a work-from-home policy for up to 200,000 public servants on 15 April 2026 to cut fuel consumption and reduce operating costs. In the Philippines, President Marcos declared a state of national energy emergency, becoming the first country in the world to do so following the war in Iran. In Singapore, the government announced close to SGD1 billion in additional support for households and businesses, triggered directly by the economic fallout from the Strait of Hormuz closure. The conflict has arrived on doorsteps across Southeast Asia.

Conflicts of this scale introduce new vulnerabilities and opportunities, and the state of AML/CFT compliance must evolve to meet both. This article explores three dimensions of that evolution: the fragmentation of shared sanctions language, the redrawing of the ML/TF risk map, and the emergence of adaptive criminal typologies.

1. The Fall of Shared Sanctions Language

In the post-9/11 era, sanctions compliance benefitted from a degree of convergence whereby Western-aligned jurisdictions broadly drew from the same sources such as the UNSCR, OFAC, and EU Lists. However, in periods of intense geopolitical conflict that shift global alliances, sanctions regimes evolve much more rapidly and unpredictably. The State of Israel is a compelling illustration. Israel has never been blacklisted or greylisted by the FATF, and was historically only sanctioned or not recognised by a small number of countries such as Malaysia, Brunei, and Pakistan. Yet the fragmentation was already visible before the current Iran conflict, rooted initially in the Gaza war. In July 2024, Japan imposed asset-freeze sanctions on Israeli settlers for the first time in its history, and in June 2025, the United Kingdom, Australia, and Canada sanctioned senior Israeli government ministers. As the current conflict deepened, the fragmentation accelerated further, with Spain and Turkiye moving toward state-level restrictions, and Turkiye imposing a total import and export ban on Israel. What was once a relatively stable and predictable sanctions landscape has fractured along geopolitical fault lines, with different jurisdictions now operating under materially different sanctions postures toward the same state.

The shifting sanctions landscape creates fragmentation in sanctions regulatory expectations across jurisdiction. More alarmingly, sanctions offences are one of the most unforgiving AML/CFT offences as the offence not only includes deliberate action, but also weak controls. Apart from failure to conduct screening, a delay in updating sanction list, failure to make further enquiries to ascertain whether a potential true match customer is a true match, or inadequate control measures can amount to huge fines. BNP Paribas was fined USD8.9 billion for knowingly processing billions in transactions for Iranian, Sudanese and Cuban sanctioned entities including by stripping information from wire transfers to avoid detection. In Malaysia, HSBC Bank Malaysia was fined RM2.94M for failure to comply with Sanctions requirements, including inadequate control measures (e.g. ineffective maker-checker functions and inadequate system capabilities). 

From a compliance standpoint, institutions are now expected to maintain near real-time sanctions screening capabilities, manage multi-layered exposures across jurisdictions simultaneously, and dedicate sufficient human resources to resolve the inevitable surge in false positive alerts. The bar is no longer just screening; it is demonstrating active, geopolitically-aware risk management.

2. The Redrawing of ML/TF Risk Map

In the current geopolitical and economic uncertainties, one thing is certain: ML/TF risks have been completely redefined. The rapidly changing ML/TF risks are pushing the static approach to risk profiling into a more dynamic and adaptive approach. 

(a) Customer Risk Factors

On the customer side, ML/TF risk levels are no longer based on static risk classification, but rather dynamic exposures to the current conflict. Institutions should identify customer types who are directly and indirectly affected by the conflict and the disruption to the Strait of Hormuz, and reassess their risk levels accordingly. 

Directly affected customers are those whose lives or core businesses are immediately impacted by the conflict. For example, on the ground in Southeast Asia, conflict-displaced high-net-worth individuals and family offices relocating from the Middle East to Southeast Asian financial centres represent an emerging compliance challenge, not because their behaviour is suspicious but because the conflict itself has made it significantly harder to distinguish legitimate capital flight from illicit asset movement, and their documentation may be incomplete or issued by institutions whose own standing is now in question. Meanwhile, businesses whose core businesses are energy and maritime face elevated ML/TF risks as the Strait of Hormuz disruption has compromised the integrity of their supply chain and transaction trail.

Indirectly affected customers are equally critical to reassess, and often more challenging for compliance practitioners because their risk elevation is less visible. Migrant workers and diaspora communities from conflict-adjacent countries may find formal remittance channels disrupted, pushing them toward informal value transfer systems. At the sectoral level, businesses in agriculture, food, and logistics (previously may be considered as ‘low risk’ by some institutions) may find themselves forced into opaque supply chains and alternative trade routes out of operational necessity rather than criminal intent. 

(b) Geographic and Country Risk Factors

Currently, a company headquartered in a ‘safe’ country is no longer automatically low risk. What matters now is not merely the address and postcode, but which corridors it uses. In essence, geographic ML/TF risk has expanded from countries to region-as-risk-unit and corridor risks.

In the context of regional risk, the Gulf Cooperation Council (GCC) states can no longer be risk-assessed in isolation because the conflict coverage extends beyond one individual country. For example, a “clean” country like Qatar or Kuwait may carry elevated risks simply by proximity and interconnectedness. Countries and areas facing humanitarian and energy crises may see a weakening of their AML/CFT oversight.

If a palm oil exporter in Malaysia exports to a buyer from Spain, which passes the Strait of Hormuz corridor, assessing the palm oil’s origin of the country’s ML/TF risk level alone may not be sufficient as the corridor or route has been compromised. The shipment route taken is now an active conflict zone with sanctioned vessels, ghost fleets, and controlled checkpoints. Compliance must now consider geographic ML/TF risks beyond individual countries, extending to the corridors as well.

(c) Product, Service, Transaction and Delivery Channel Risk Factors

Ongoing conflict forces urgency, and urgency demands speed. All parties directly and indirectly involved, including state actors, conflict targets and victims, and affected businesses, need to move assets quickly and with the least friction possible, especially toward safer jurisdictions.

The attack on Iran’s Bank Sepah’s data processing facilities and several cyberattacks on Iranian financial institutions including Bank Melli severely dismantled Iranian formal financial institutions. This is not a one-sided vulnerability, both Israel and the USA’s financial systems are facing severe strains from the economic weight of the prolonged war. Israel's wars since October 2023 have already cost approximately USD112 billion, and the wars adversely impacted credit card expenditure, tourism and supply chains. Meanwhile, major American bank stocks declined; Wells Fargo down 1.94%, JPMorgan Chase down 0.85%, Bank of America down 0.60%, and Citigroup down 0.40%.

When formal financial infrastructures on all sides of a conflict become compromised, threatened, or strained, the entire ecosystem pushes toward alternative, less regulated or entirely unregulated channels. For example, digital asset outflows from Iran’s largest exchange Nobitex surged 700% in the hours immediately after the US-Israeli strikes on 28 February 2026. Iran has since confirmed it is accepting Bitcoin (BTC) as payment for vessels passing through the Strait of Hormuz, with analysts noting this fits perfectly with Tehran's existing sanctions-evasion networks. From a technical compliance perspective however, it is crucial to note that the risk is not uniform across all digital asset transactions. Regulated digital asset business operators are subject to AML/CFT requirements including sanctions screening and reporting obligations. Meanwhile, unregulated platforms and non-custodial wallets carry elevated ML/TF risks where AML/CFT controls are likely to be absent.  A blanket high-risk classification of all digital assets not only mischaracterises the technology, it risks driving activity further toward genuinely opaque channels, making the problem harder, not easier, to detect. 

3. Emerging and Adaptive Typologies

Apart from redrawing the ML/TF risk landscape, conflicts of this scale also create opportunities for economic and politically-motivated criminal activities. 

(a) Scarcity-driven criminal activities

When global supply is disrupted, the incentive for black market and illicit trade soars. With oil prices hitting record highs due to the conflict, energy smuggling has become one of the most lucrative criminal opportunities. In Malaysia, the subsidised RON95 petrol has long created a cross-border arbitrage opportunity for smuggling syndicates due to price gaps with neighbouring countries. In response, Malaysian authorities announced a nationwide ban on RON95 sales to foreign-registered vehicles and intensified enforcement at borders. At sea, sanctioned or smuggled crude is mixed with legitimate supplies via ship-to-ship transfers to disguise its origin, a typology known as oil laundering.

In the logistics sector, businesses facing zero revenue are at elevated risk of criminal syndicate takeover. These hollowed-out zombie companies are then weaponised for trade-based money laundering, generating fake invoices and phantom shipments to move capital across borders under the cover of legitimate trade.

The food and agricultural sector presents an equally serious but less visible risk. The FAO has warned that between 20% to 30% of the world's fertilizers are currently unable to move through the Strait of Hormuz, driving a surge in prices and forcing agricultural businesses to source inputs through alternative, less scrutinised channels. Beyond fertilizers, grains, edible oils, and soft commodities including sugar, cocoa, and coffee are among the cargoes stuck at sea, creating scarcity conditions that historically drive origin laundering, where illegally sourced or non-compliant agricultural goods are falsified with fraudulent audit trails and geolocation data to pass as certified, premium products.

(b) Sanctions-evasion driven criminal activities

The conflict has also accelerated sanctions-evasion driven criminal activities including technology-enabled fraud and beneficial ownership abuses. According to Sumsub's Identity Fraud Report 2025-2026, fraud rates in the Middle East already increased by 19.8%, with Iraq recording the highest fraud rate in the region at 9.7%, reflecting how conflict and instability directly correlate with surging financial crime. Banks across the GCC are already bracing for a significant shift in identity fraud driven by synthetic media capable of bypassing biometric and voice verification systems. Meanwhile, the conflict and Strait of Hormuz disruption pushes affected parties including sanctioned entities and individuals to rethink ways to circumvent the due diligence requirements pertaining to ultimate beneficial ownership.

In the context of technology-enabled fraud, two typologies that already exist are likely to be significantly accelerated by the conflict. The first is synthetic distress identities, where fraudsters use generative AI to fabricate personas posing as refugees or conflict victims to open accounts and receive illicit funds under the guise of humanitarian aid. This typology is particularly difficult to detect because the emotional and geopolitical context makes rigorous due diligence harder to apply without appearing callous. The second is deepfake-enabled onboarding fraud, which presents a serious threat particularly for non-face-to-face business relationships. As remote onboarding surges during conflict, driven by displaced individuals, emergency account openings, and sanctions-driven workarounds, deepfakes allow bad actors to defeat biometric verification and liveness checks in real time. In 2024, a finance worker at multinational engineering business Arup in Hong Kong authorised USD25.5 million in wire transfers during what appeared to be a routine video call with their CFO and senior colleagues. Every participant on that call, except the victim, was an AI-generated deepfake. The FATF flagged this as an emerging priority in its December 2025 Horizon Scan on AI and Deepfakes, and the current conflict is accelerating exactly the conditions that make it exploitable.

In relation to the circumventing of ultimate beneficial ownership identification, sanctioned individuals are likely to be using the urgency and chaos of conflict to restructure their beneficial ownership through layered corporate arrangements and nominee directors, placing distance between themselves and their assets. The pressure to move wealth quickly out of conflict zones means that UBO structures that would ordinarily take months to establish are being rushed through jurisdictions with lighter disclosure requirements. For compliance practitioners, a customer who appeared clean at onboarding may now sit behind a beneficial ownership structure that has been deliberately reorganised to obscure a sanctions exposure. 

(c) Conflict-driven capital flight

The urgency for safety leads to large-scale capital movements from conflict-affected jurisdictions to safer channels and jurisdictions. While capital preservation and asset protection are completely legal, the sheer volume of capital flight presents immense operational challenges for businesses and compliance practitioners, particularly in upholding their obligation to ascertain whether the asset movements are legitimate.

The surge in cross-border transactions from conflict-affected jurisdictions is straining compliance resources, increasing alert volumes, and creating real risks of oversight errors simply due to the pressure of scale. At the same time, compliance practitioners face a genuine balancing act. Being risk-averse, for example flagging all asset movements from conflict-affected jurisdictions for heavy scrutiny, could risk being unfair and discriminatory towards customers who are legitimately fleeing conflict and preserving their livelihoods. Meanwhile, applying a more lenient approach risks non-compliance if controls are deemed insufficient under a risk-based framework. Neither extreme is ideal, and compliance teams face an immense challenge navigating between the two.

As a guide to solve the above dilemma, compliance practitioners should take into account the dynamic risk profiles of their customers, and red flags of illicit capital flight. Red flags that may distinguish legitimate asset preservation from illicit capital flight include structuring or smurfing behaviour, the use of multiple intermediary jurisdictions with no clear rationale, for example a conflict-displaced individual who has relocated to Singapore but is simultaneously routing funds through unconnected regions, and inconsistencies between transaction amounts and the customer's known profile during cross-border transfers.

In the digital asset space, the use of privacy coins or on-chain patterns that deviate from typical capital flight behaviour, such as unnecessary cross-chain bridging, rapid conversion across multiple digital assets, or fragmentation and reconsolidation of funds across multiple wallets, may indicate deliberate obfuscation rather than legitimate wealth preservation.

(d) Politically-motivated criminal activities

When conflict reaches this scale, financial crime is no longer driven solely by profit. States weaponise financial infrastructure while political sympathisers mobilise funding from the ground up. 

On the state level, Iran's targeted strikes on AWS data centres in Bahrain and the UAE caused widespread banking and payment system outages, while US and Israeli strikes destroyed the data processing facilities of Iran's Bank Sepah and triggered cyberattacks on Bank Melli. Criminal actors exploit these disruptions through cyber-enabled financial crime, where system outages are deliberately timed to push through fraudulent transactions, redirect payments, or manipulate records while monitoring controls are offline.

Non-profit organisations (NPOs) and entities with political sympathies to any side of the conflict are also being exploited as conduits for conflict-driven financing. The typology typically involves layering donations through multiple NPO accounts across jurisdictions, using conflict-related humanitarian narratives to justify large inflows, and ultimately moving funds to politically-motivated actors. Red flags include transactions processed during known system outage windows, unusual donation volumes to conflict-related NPOs from anonymous or high-risk sources, and NPOs receiving funds from multiple unrelated jurisdictions with no clear operational rationale.

Conclusion

The Strait of Hormuz is redefining how we approach AML/CFT compliance. Broken alliances revamp sanctions compliance, geopolitical uncertainties redraw the ML/TF map, and political and economic instabilities reshape avenues for illicit activity. From a compliance perspective, practitioners must treat any intelligence, including this article, as a snapshot rather than a complete picture. Given the speed at which this conflict is evolving, the ML/TF risk landscape and the state of AML/CFT compliance will continue to evolve. As seen following the 9/11 era, which triggered an entire revamp of global AML/CFT compliance frameworks, current developments may have a similarly far-reaching impact. 

For businesses, compliance is no longer just about following the rules. Compliance is about proactively monitoring these developments, and innovating controls to protect your business from emerging ML/TF risks. Establishing compliance controls without properly understanding ML/TF risks can lead to serious legal repercussions, and the HSBC and BNP Paribas cases are powerful reminders that inaction carries the same price tag as wilful non-compliance.

Learn More About Us

Pragmax Consulting

Pragmax Consulting is a compliance, risk, and governance consulting firm with a diverse clientele, including a Fortune 500 asset management firm, a global fintech leader in digital payments across international markets, statutory bodies, and various virtual asset management companies.

Website: https://www.pragmaxconsulting.com