Our monthly round up of news items which help businesses understand the risks around AML and more
Criminals lose, compliance wins, the smarter way to safeguard your business.
Cyber Security
Pyongyang’s Phantom Coders: The 9‑to‑5 Cyber Threat Hiding in Plain Sight
New research has “lifted the lid” on a vast North Korean scheme that uses fake IT workers to earn money, evade sanctions and gain access to corporate systems worldwide.
According to the reporting, the regime is believed to be directing up to 100,000 overseas-facing developers and IT freelancers, many of whom work remotely under assumed identities, borrowed LinkedIn profiles or hijacked recruitment accounts. These individuals bid for contracts on mainstream job platforms and through third‑party agencies, often delivering competent work while quietly diverting substantial fees back to Pyongyang’s coffers.
Beyond the financial flows, the real risk lies in the level of access these “phantom coders” can obtain. By embedding themselves as contractors or even full‑time remote staff, they may be able to exfiltrate source code, harvest credentials, introduce supply‑chain backdoors or gather reconnaissance for later ransomware and espionage operations. The operation blurs the line between sanctions evasion, cybercrime and state‑sponsored threat activity: hiring decisions made by HR or procurement can, in effect, become an unrecognised sanctions breach and a live cyber‑security threat in one.
For AML and sanctions compliance teams, this model raises several red flags. Payment patterns to “consultants” using mismatched locations, unusual intermediary accounts, crypto off‑ramps or repeated changes in beneficiary details may signal participation in such schemes. Firms should strengthen joined‑up controls between HR, procurement, IT security and financial crime teams: vetting remote hires more thoroughly, scrutinising contractor payment flows, and ensuring that transaction monitoring scenarios recognise the typologies of IT‑worker‑led sanctions evasion.
Comment – This story screams the need for employee screening and elevating the risk thresholds for remote workers. Our EDD-Pro Technology can assist your business with effective and affordable person search and screening. Find out more here.
Organised Crime
From fraud factories to frontlines: Turning the UK’s new anti-fraud plan into Due Diligence action
Bird & Bird’s analysis of the UK Fraud Strategy 2026–2029 shows how the government intends to move from piecemeal responses to a system-wide campaign against fraud, which now accounts for over four million offences a year and is heavily driven by organised crime and overseas scam centres. Backed by more than £250m, the strategy is built around three pillars, Disrupt, Safeguard, Respond, aimed at attacking criminal infrastructure, strengthening public and business resilience, and improving justice and victim support.
On the Disrupt side, the headline change is the creation of an Online Crime Centre, bringing together law enforcement, intelligence, banks, telecoms and tech firms to share data and proactively dismantle fraud networks, from spoofed websites and SIM-swap operations to mule account farms and call centres.
For organised crime, fraud is now a core business model: globalised, tech-enabled, and often run from jurisdictions beyond easy UK reach. The strategy explicitly recognises this, committing to tougher use of sanctions against overseas fraud masterminds, closer cooperation with “high priority” countries, and more aggressive action against the abuse of telecommunications and digital platforms. That has direct implications for due diligence: sectors such as telecoms, online platforms, payment providers and loosely regulated intermediaries will face growing expectations to prove they can spot and shut down fraud-enabling behaviour, not just comply on paper.
For AML and EDD teams, the strategy is also a blueprint for internal change. It pushes firms to treat fraud intelligence as core financial crime data, feeding scam reports, chargebacks and mule typologies into customer risk assessments, onboarding controls and ongoing monitoring, rather than keeping fraud and AML in separate silos.
Practical steps include mapping exposure to high-risk channels (social media leads, high-velocity online payments, cross-border PSPs), reviewing third-party relationships that touch customer journeys, and aligning internal “Stop! Think Fraud” awareness with sharper file documentation and escalation.
Comment -Is it time to start thinking about how SAFE your business is?, visit this page to find out more.
Regulatory
Record 1.96m fine from Guernsey regulator
The GFSC’s public statement on Utmost Worldwide Limited marks the regulator’s largest ever discretionary penalty and a textbook example of how AML control failings can accumulate over time.
Following an investigation launched in 2023, the Commission concluded that Utmost’s life insurance business had serious, systemic deficiencies spanning a decade, including inadequate business‑wide risk assessment, weak EDD on high‑risk customers, poor ongoing monitoring and an over‑reliance on unregulated intermediaries operating in developing countries with weaker financial crime controls. The business model, historic use of international brokers in South and Central America and a shift towards higher‑value, higher‑risk single‑premium policies significantly increased exposure, but the control framework and governance did not keep pace.
On 9 March 2026 the GFSC imposed a £1,960,000 fine on Utmost Worldwide Limited, alongside a £35,000 penalty on former CFO and later CEO Leon Steyn and a £10,500 penalty (plus a prohibition from certain roles) on former Deputy MLRO/Nominated Officer James Watchorn. The Commission highlighted weaknesses in board oversight, risk culture and escalation, and made clear that individual accountability now extends beyond front‑line MLROs to senior finance and executive leaders where they fail to address obvious structural risks.
While Utmost’s cooperation, remediation programme and client re‑rating exercise from late 2023 were treated as mitigating factors, they did not prevent the record sanction.
For AML and due diligence practitioners, several lessons stand out. First, distribution risk is central: extensive use of unregulated or lightly regulated brokers in higher‑risk markets requires robust due diligence, ongoing oversight and clear exit triggers when red flags emerge. Second, “set and forget” risk assessments are no longer acceptable; shifts in product mix, geography and customer profile must be reflected quickly in business‑wide risk ratings and control design. Third, regulators are increasingly willing to look back over a decade or more of files, meaning that legacy books and historic onboarding standards are now a live regulatory exposure rather than a closed chapter.
Firms in Guernsey and other international centres should read this case as a warning shot. It underscores the need for rigorous file refresh programmes, risk‑based reviews of legacy portfolios, and effective challenge from boards on whether distribution channels and high‑risk books are genuinely understood and controlled.
Comment – We help supervised firms strengthen their AML due diligence, investigations, and training so they can evidence robust CDD/EDD, mitigate reputational risk, and stay aligned with regulatory expectations.
Our new enhanced due diligence platform at EDD-Pro enables small businesses all the way to Compliance Teams streamline onboarding and investigations with integrated ID verification, structured searches, and investigator‑grade reporting.
