Anti Money Laundering
How GhostPay Mesh prevents money laundering through cryptographic controls, real-time monitoring, pattern detection, and compliance with Brazilian AML/CFT regulations.
1. Overview
GhostPay Mesh’s Anti Money Laundering (AML) framework is designed to detect, prevent, and report money laundering activities while preserving the privacy-first philosophy of the protocol. Unlike traditional AML systems that rely on identity surveillance, GhostPay’s approach focuses on behavioral and transactional analysis.
The AML system operates on the principle that transaction patterns reveal intent — money laundering behaviors (layering, structuring, rapid movement) create detectable signatures in transaction graphs, regardless of whether the actor’s identity is known.
Three Stages of Money Laundering — GhostPay’s Defenses
graph TB
subgraph "1. PLACEMENT"
P1[Illicit funds enter system]
P2[GhostPay Defense:
Tier limits + device registration]
end
subgraph "2. LAYERING"
L1[Funds moved to obscure origin]
L2[GhostPay Defense:
Transfer chain analysis +
pattern detection]
end
subgraph "3. INTEGRATION"
I1[Funds re-enter legitimate economy]
I2[GhostPay Defense:
Settlement monitoring +
COAF reporting]
end
P1 --> L1
L1 --> I1
P2 -.->|Blocks| P1
L2 -.->|Detects| L1
I2 -.->|Reports| I1
style P2 fill:#1a2e1a,stroke:#00FF88,color:#e4e4e7
style L2 fill:#1a2e1a,stroke:#00FF88,color:#e4e4e7
style I2 fill:#1a2e1a,stroke:#00FF88,color:#e4e4e7
Key Principle: GhostPay’s AML system is designed to catch laundering behavior, not to surveil legitimate users. The system raises alerts based on transaction patterns, not identity profiles.
2. Prevention Architecture
The AML prevention architecture operates at multiple levels, creating overlapping barriers that make money laundering through the GhostPay Mesh network economically impractical.
Structural Controls
- Value Ceiling: Individual PLCs are capped at R$ 1,000 (Tier 1) or R$ 10,000 (Tier 2 with full KYC). This forces launderers to create many small transactions, which are easier to detect through pattern analysis.
- Expiration Enforcement: PLCs expire after 7 days maximum. Laundering schemes that require holding value for extended periods are incompatible with the protocol.
- Chain Depth Limits: The maximum transfer chain depth of 10 hops limits the number of layering steps possible before settlement is required.
- Settlement Chokepoint: All value must eventually be settled through regulated payment rails (Pix, Boleto). This creates a mandatory checkpoint where AML controls are applied.
Economic Deterrents
| Deterrent | Mechanism | Effect on Laundering |
|---|---|---|
| PLC Value Limits | R$ 1,000 per PLC (Tier 1) | Forces high volume of transactions → easier pattern detection |
| Daily Aggregate Limits | R$ 5,000/day per device | Limits throughput → requires many devices |
| Device Registration | Hardware-bound keys | Devices are expensive to forge/replace |
| Reputation System | New devices are untrusted | Takes time to build reputation for higher limits |
| Permanent Bans | Device blocklist via mesh gossip | Caught devices cannot re-enter network |
3. Transaction Monitoring
The transaction monitoring engine processes every PLC event in real-time, building a comprehensive view of value flows across the mesh network.
Monitoring Pipeline
graph LR
A[PLC Events Stream] --> B[Event Enrichment]
B --> C[Real-Time Rules]
B --> D[Graph Analysis]
B --> E[Statistical Models]
C --> F{Alert Engine}
D --> F
E --> F
F -->|Low| G[Monitor Queue]
F -->|Medium| H[Analyst Queue]
F -->|High| I[Auto-Action]
F -->|Critical| J[COAF Report]
Monitored Events
| Event Type | Data Captured | Retention |
|---|---|---|
PLC_ISSUED |
Amount, device fingerprint, timestamp, tier level | 5 years |
PLC_TRANSFERRED |
From/to keys, amount, transfer chain depth, transport method | 5 years |
PLC_SETTLED |
Settlement rail, destination, amount, bearer key, settlement TX ID | 10 years |
PLC_EXPIRED |
PLC ID, last known bearer, amount, reason | 5 years |
DEVICE_REGISTERED |
Device fingerprint, registration tier, timestamp | Lifetime |
TIER_UPGRADE |
Device key, old tier, new tier, KYC method | Lifetime |
Real-Time Metrics Dashboard
AML Monitoring Metrics
{
"monitoring_window": "2025-01-15T10:00:00Z/PT1H",
"metrics": {
"plcs_issued": 45230,
"plcs_transferred": 38100,
"plcs_settled": 32450,
"total_volume_brl": 12450300.00,
"unique_devices": 18340,
"avg_chain_depth": 2.3,
"alerts_triggered": 12,
"devices_blocked": 2
}
}
"monitoring_window": "2025-01-15T10:00:00Z/PT1H",
"metrics": {
"plcs_issued": 45230,
"plcs_transferred": 38100,
"plcs_settled": 32450,
"total_volume_brl": 12450300.00,
"unique_devices": 18340,
"avg_chain_depth": 2.3,
"alerts_triggered": 12,
"devices_blocked": 2
}
}
4. Suspicious Pattern Detection
The pattern detection engine identifies money laundering typologies adapted to the GhostPay Mesh context. Each pattern has specific detection logic and assigned severity.
Detected Patterns
| Pattern | Description | Detection Method | Severity |
|---|---|---|---|
| Structuring (Smurfing) | Breaking large amounts into many small PLCs just below reporting thresholds | Aggregate analysis per device + temporal clustering | HIGH |
| Round-Tripping | PLCs transferred in a cycle, returning to the original issuer or a related device | Graph cycle detection in transfer chain | HIGH |
| Rapid Layering | PLCs quickly passed through multiple intermediary devices before settlement | Chain depth + velocity analysis | MEDIUM |
| Fan-Out/Fan-In | Single device issues many PLCs to different devices, which then settle to a single destination | Graph topology analysis (star patterns) | CRITICAL |
| Mirror Transactions | Symmetric PLCs of equal value flowing in opposite directions between two devices | Bi-directional flow analysis | MEDIUM |
| Device Farm | Multiple devices with correlated behavior patterns suggesting coordinated operation | Behavioral clustering + temporal correlation | CRITICAL |
| Dormant Activation | Previously inactive device suddenly processes high volume of transactions | Baseline deviation + burst detection | MEDIUM |
Graph Analysis
The AML engine builds a real-time transaction graph where nodes are device public keys and edges are PLC transfers. Graph algorithms detect structural patterns indicative of laundering:
graph TD
subgraph "Fan-Out / Fan-In Pattern"
S[Source Device] -->|PLC 1| M1[Mule 1]
S -->|PLC 2| M2[Mule 2]
S -->|PLC 3| M3[Mule 3]
S -->|PLC 4| M4[Mule 4]
M1 -->|Settle| D[Destination Account]
M2 -->|Settle| D
M3 -->|Settle| D
M4 -->|Settle| D
end
style S fill:#2e1a1a,stroke:#ff5f57,color:#e4e4e7
style D fill:#2e1a1a,stroke:#ff5f57,color:#e4e4e7
style M1 fill:#1a1a2e,stroke:#A855F7,color:#e4e4e7
style M2 fill:#1a1a2e,stroke:#A855F7,color:#e4e4e7
style M3 fill:#1a1a2e,stroke:#A855F7,color:#e4e4e7
style M4 fill:#1a1a2e,stroke:#A855F7,color:#e4e4e7
Graph Analysis Scope: Transaction graphs are analyzed within rolling windows (1 hour, 24 hours, 7 days, 30 days). Long-range patterns that span multiple windows are detected via persistent graph features stored in the analytics database.
5. Limits & Controls
AML-specific limits complement the general transaction limits defined in the Compliance documentation. These controls are specifically designed to constrain laundering operations:
AML-Specific Thresholds
| Control | Threshold | Action | Regulation |
|---|---|---|---|
| Single PLC Reporting | R$ 10,000+ | Automatic COAF report | Circular 3,978 Art. 13 |
| Daily Aggregate Reporting | R$ 50,000+ per device | Automatic COAF report | Circular 3,978 Art. 13 |
| Monthly Aggregate | R$ 150,000+ per device | Enhanced due diligence | FATF Rec. 10 |
| Suspicious Pattern | Any amount | SAR filing within 24h | Circular 3,978 Art. 14 |
| Cross-border PLC | R$ 5,000+ | Enhanced monitoring + COAF | Circular 3,978 Art. 16 |
Cascading Block Mechanism
When a device is flagged for AML violations, the system applies cascading blocks that affect related devices:
- Primary Block: The flagged device is immediately suspended from issuing or settling PLCs
- Secondary Block: Devices that received > 5 PLCs from the flagged device in the last 30 days are placed under enhanced monitoring
- Tertiary Block: If the flagged device is part of a confirmed device farm, all devices in the cluster are blocked
6. Reporting Capabilities
The AML reporting system generates structured reports for regulatory authorities, internal compliance teams, and audit purposes.
Report Types
| Report | Recipient | Frequency | Format |
|---|---|---|---|
| Suspicious Activity Report (SAR) | COAF | Within 24h of detection | COAF XML Schema |
| Currency Transaction Report (CTR) | COAF | Within 24h of threshold | COAF XML Schema |
| Monthly AML Summary | BACEN + Internal | Monthly | JSON + PDF |
| Device Risk Report | Internal Compliance | Weekly | JSON |
| Graph Analysis Report | Internal Compliance | Daily | JSON + Graph export |
| Regulatory Audit Package | BACEN / Law Enforcement | On demand | Encrypted ZIP |
SAR Structure
Suspicious Activity Report
{
"report_id": "SAR-2025-001547",
"report_type": "SUSPICIOUS_ACTIVITY",
"filing_date": "2025-01-15T14:30:00Z",
"detection_method": "PATTERN_FAN_OUT_FAN_IN",
"risk_score": 87,
"subject": {
"device_fingerprint": "sha256:a1b2c3...",
"device_pubkey": "ed25519:9f8e7d...",
"tier": 1,
"registration_date": "2025-01-10T08:00:00Z"
},
"suspicious_activity": {
"pattern": "Fan-out to 8 devices, fan-in to single Pix key",
"total_amount_brl": 7840.00,
"plc_count": 8,
"time_window": "PT2H",
"related_devices": 8
},
"supporting_data": {
"plc_ids": ["plc_7f3a...", "plc_8e4b..."],
"transfer_chains": "<base64 encoded>",
"graph_snapshot": "<base64 encoded>"
}
}
"report_id": "SAR-2025-001547",
"report_type": "SUSPICIOUS_ACTIVITY",
"filing_date": "2025-01-15T14:30:00Z",
"detection_method": "PATTERN_FAN_OUT_FAN_IN",
"risk_score": 87,
"subject": {
"device_fingerprint": "sha256:a1b2c3...",
"device_pubkey": "ed25519:9f8e7d...",
"tier": 1,
"registration_date": "2025-01-10T08:00:00Z"
},
"suspicious_activity": {
"pattern": "Fan-out to 8 devices, fan-in to single Pix key",
"total_amount_brl": 7840.00,
"plc_count": 8,
"time_window": "PT2H",
"related_devices": 8
},
"supporting_data": {
"plc_ids": ["plc_7f3a...", "plc_8e4b..."],
"transfer_chains": "<base64 encoded>",
"graph_snapshot": "<base64 encoded>"
}
}
7. Compliance with Brazilian Regulations
GhostPay Mesh’s AML framework is specifically designed to comply with Brazilian anti-money laundering regulations:
Circular BCB 3,978/2020
The primary AML regulation for financial institutions in Brazil. GhostPay’s compliance includes:
- Art. 2 (Risk-Based Approach): The tiered identity model implements progressive KYC based on risk levels. Low-risk transactions (Tier 0/1) require minimal identification; high-risk transactions (Tier 2) require full KYC.
- Art. 10 (Customer Due Diligence): At Tier 2, full CDD is performed including CPF/CNPJ verification, document validation, and PEP (Politically Exposed Person) screening.
- Art. 13 (Record Keeping): All PLC transactions are recorded in the append-only ledger with 5-year minimum retention for transaction data and 10-year retention for settlement records.
- Art. 14 (Suspicious Transaction Reports): Automated SAR filing within 24 hours of detection. Reports are submitted to COAF in the prescribed XML format.
- Art. 16 (Enhanced Due Diligence): Applied automatically when cross-border transactions, PEPs, or high-risk patterns are detected.
Law 9,613/1998 (Anti Money Laundering Law)
- Art. 9: GhostPay registers as a reporting entity with COAF as an electronic payment institution.
- Art. 10: Transaction records are maintained for the legally required minimum of 5 years after the relationship ends.
- Art. 11: Automatic notifications to COAF for transactions exceeding R$ 50,000 or matching suspicious patterns.
COAF Resolution 40/2021
Specific requirements for virtual asset service providers:
- GhostPay implements all required AML/CFT controls for virtual asset operations
- Travel Rule compliance for transfers above R$ 1,000 (device public key serves as originator/beneficiary identifier)
- Ongoing monitoring and risk assessment of the virtual asset ecosystem
Regulatory Status: GhostPay Mesh maintains active registrations with COAF and BACEN. The AML program is audited annually by an independent compliance firm.
8. Sanctions Screening
While GhostPay’s privacy-first design means most transactions involve pseudonymous identifiers, the system still performs sanctions screening at key touchpoints:
Screening Points
- Tier 2 Registration: When a user provides CPF/CNPJ for KYC, the information is screened against OFAC SDN, UN Sanctions, EU Sanctions, and Brazilian MRE (Ministério das Relações Exteriores) lists.
- Settlement Destinations: Pix keys and bank accounts used for settlement are screened against known sanctioned entities.
- Behavioral Sanctions: Even without identity data, devices exhibiting patterns consistent with sanctioned region activity (based on mesh network topology) are flagged.
Screening Update Schedule
| List | Source | Update Frequency |
|---|---|---|
| OFAC SDN | U.S. Treasury | Every 6 hours |
| UN Consolidated | UN Security Council | Every 12 hours |
| EU Sanctions | European Commission | Every 12 hours |
| Brazilian MRE | Ministério das Relações Exteriores | Every 6 hours |
| PEP Database | CGU + TSE | Daily |
Sanctions Match: Any confirmed sanctions match results in immediate account freeze, transaction block, and mandatory reporting to COAF within 24 hours.