Italy’s FIU doesn’t just collect suspicious-transaction reports — it tells obliged entities what “suspicious” looks like, through anomaly indicators and red-flag behaviour schemes that it updates as new typologies emerge. For any firm operating in Italy under the AML decree, these UIF materials are the working definition of a red flag: not a checklist that fires an automatic report, but the reference an analyst reasons against. This piece explains what the indicators and schemes are, their legal basis, the typologies UIF has published, and how they feed the SOS decision.
1. Who issues them, and under what law
The UIF (Unità di Informazione Finanziaria per l’Italia) , housed at the Banca d’Italia, is charged with issuing and periodically updating the anomaly indicators (indicatori di anomalia) for the different categories of obliged entity. The mandate sits in Article 6, paragraph 4(e) and paragraph 7(b) of Legislative Decree 231/2007 (the Italian AML decree). Alongside the indicators, UIF publishes representative schemes of anomalous behaviour (schemi rappresentativi di comportamenti anomali) , drawn from its own financial analysis and feedback from investigative and supervisory authorities.
2. What they are — and what they are not
Indicators are neither exhaustive nor binding. UIF is explicit that the lists are “né esaustivi, né tassativi” — a single indicator being present does not, on its own, oblige a report, and their absence does not excuse one. They orient the analysis; the obliged entity still makes a holistic judgement. Treating an indicator list as an auto-fire trigger produces both defensive over-reporting and missed genuine suspicion.
Anomaly indicators — exemplary lists of operational features or customer behaviours considered potentially indicative of money laundering or terrorist financing, tailored to categories of obliged entity.
Behaviour schemes — narrative typologies that show how a recurring abuse actually unfolds, so an analyst recognises the pattern rather than just the isolated data point.
3. The published schemes — a live typology library
UIF’s schemes are dated and periodically extended as new risks surface. The published set spans, among others:
Typology Communication date
Fraud and cybercrime 8 June 2026
Sanctions-violation-related conduct 7 May 2026
Misuse of public procurement 31 March 2026
COVID-19 / PNRR-related fraud 11 February 2021; 11 April 2022
Fiscal crimes 10 November 2020
Misuse of virtual currencies 28 May 2019
Terrorist financing 18 April 2016; 13 October 2017
Payment-card anomalies 18 February 2014
The recency of the fraud/cybercrime and sanctions schemes (2026) is the point: this is not a static rulebook but a feed. A monitoring programme that mapped indicators once at go-live and never revisited them is already behind. For the crypto-specific angle, the virtual-currency scheme dovetails with Italy’s OAM crypto register obligations.
4. How they feed the SOS decision
The indicators and schemes are detection aids; the reporting duty itself is Article 41 of Legislative Decree 231/2007 — the obligation to file a suspicious transaction report (segnalazione di operazione sospetta, SOS) whenever the entity knows, suspects or has reasonable grounds to suspect money laundering or terrorist financing. In practice the flow is: transaction monitoring surfaces an alert → the analyst tests it against the relevant indicators and schemes → a holistic assessment decides whether the threshold for suspicion is met → if so, an SOS goes to UIF. See our companion guide on how to file a SOS via Infostat-UIF .
5. Wiring them into a monitoring programme
Map each relevant UIF indicator and scheme to concrete monitoring rules and analyst guidance — don’t leave them as a PDF nobody reads.
Subscribe to UIF updates and re-map when a new scheme lands; the 2026 fraud/cybercrime and sanctions schemes are recent examples.
Document the holistic assessment behind each decision — including decisions not to report — because indicators are not auto-triggers.
Align the crypto, sanctions and fraud schemes with the rest of your Italian AML stack — see the Italian AML framework .
6. FAQ
Does hitting one anomaly indicator mean I must file an SOS?
No. UIF states the indicators are neither exhaustive nor binding. A single indicator does not automatically create an obligation to report; the entity makes a holistic assessment. Equally, no matching indicator does not excuse a report where suspicion otherwise exists.
Who issues the indicators — UIF or the Ministry?
UIF issues and updates the anomaly indicators for obliged entities under Article 6(4)(e) and 6(7)(b) of Legislative Decree 231/2007, and publishes the behaviour schemes. Separate indicators exist for public administration bodies.
Are the schemes kept up to date?
Yes. They are dated and periodically extended — recent additions include fraud and cybercrime (June 2026) and sanctions-related conduct (May 2026).
What is the legal basis for the report itself?
Article 41 of Legislative Decree 231/2007 — the duty to file a suspicious transaction report. The indicators and schemes support the detection; Article 41 is the obligation.
7. What to do, today
Pull the current UIF indicators for your entity category and the full scheme library; map them to your monitoring rules.
Set a process to re-map whenever UIF issues a new scheme.
Make sure analysts document the holistic reasoning behind each SOS decision, indicators included.
Connect the indicator framework to your SOS filing workflow so detection flows straight into reporting.
Related: Filing a SOS via Infostat-UIF · The Italian AML framework · UIF and the Archivio Unico
Need more information & guidance?
Reach out to us.
If anything in this note is unclear or your situation does not quite match — book a 25-minute strategy call. A partner will reply within five business days, and tell you straight if we are not the right team for it.
Book a strategy call →