Policy on paper, risk in practice: What the Iranian property cases reveal about AML controls

• A £15m London property.

• A client introduced through a trusted intermediary.

• A company registered in a low-risk jurisdiction… owned by another company… owned by a trust.

On paper, nothing immediately fails. In reality, this is exactly where things start to go wrong.

The recent scrutiny on Iranian-linked property ownership in London has brought this kind of structure into sharp focus. But it isn't a novel problem and the structures involved are far from unique: layered entities, offshore links, indirect exposure and funds moving through non-high-risk jurisdictions. 

So as the global environment grows more volatile, it's worth asking an uncomfortable question; would your current AML policies, procedures and controls detect and respond to risk that only becomes visible when you connect the dots - when nothing fails but the overall picture doesn't add up.

Most firms have policies and pass audits. But when AML meets time pressure, complex structures and commercial reality, things get missed.

The context

After the 1979 Iranian revolution, sanctions began tightening around Iran's financial system. But regime-linked wealth didn't get caught, instead it shifted into assets. Specifically London assets - stable, prestigious and historically open to foreign capital.

What followed was the quiet accumulation of high-value property across prime postcodes. On paper, these were standard transactions. Behind them sat networks linked to Iran’s ruling elite and their close relatives and associates.

Crucially, the assets aren’t held in their names.

The modus operandi

With hindsight, the red flags are obvious. But at the time of each transaction, every element had a plausible explanation; it's only when you look across the whole relationship that the true risk emerges.

Fronted ownership through specific vehicles
Properties were acquired through an Isle of Man company (Birch Ventures Limited), with the beneficial owner (later-sanctioned Ali Ansari) listed under a Cypriot passport, masking Iranian links at the registry level. The additional citizenship allowed Ansari to open bank accounts and register companies across Europe without Iranian connections appearing in filings. At the point of onboarding, the entity was low-risk on paper.

Concentrated, strategic acquisitions
Over a dozen properties on The Bishops Avenue were purchased for approximately £73m in 2013 alone, spread across multiple agencies to avoid drawing attention. The result was a clustered portfolio of high-value London assets, accumulated quickly and quietly.

Use of a front man
Ansari acted as the visible buyer across the portfolio. Investigations by Bloomberg, OCCRP and Transparency International UK link the underlying beneficial ownership to Mojtaba Khamenei, son of Iran's former Supreme Leader. Ansari denies any financial relationship with Khamenei or the IRGC. He was not sanctioned by the UK until October 2025 -more than a decade after the acquisitions.

Funds linked to opaque revenue streams
Wealth linked to Iranian oil exports was routed through a network of shell companies in the UAE, Isle of Man and Saint Kitts and Nevis, and through European banking channels, before landing in UK property transactions. The funds arrived from reputable institutions. Nothing looked obviously wrong.

Assets positioned before sanctions hit
The 2013 property acquisitions happened during one of the most intensive sanctions periods Iran had ever faced. The structures worked because no individual element triggered a flag: Cypriot citizenship, an Isle of Man registration, European banking routes. Ansari wasn't sanctioned by the UK until October 2025, more than a decade after the purchases. By that point the assets were embedded, titles transferred and ownership structures settled; and a client legitimately classified as lower-risk in 2013 had shifted profile entirely, with no obvious trigger to prompt a reassessment.

Individually, each step passed every check: the structure was valid, the entity registered, the funds arriving clean. The risk wasn't in any single element. It was across the whole picture, accumulated quietly over the length of the client relationship.

Where AML controls break down in practice

This is where things actually go wrong. Not in theory, but in pressured transactions.

1. The “we’ll get it later” onboarding

It’s late in the day, and the transaction is due to close. The client is credible, introduced through a trusted source, and only one piece of ownership information is still missing.

The fee earner makes a call: proceed now, tidy it up later.

What happens

Minimum standards aren't enforced and because progression is possible, it happens. One small compromise rarely feels significant in isolation. But these compromises stack, and the gaps they create are exactly where risk hides.

2. The source of funds that “looks fine”

Source of funds documents are provided. The funds originate from a reputable jurisdiction and are signed by a well-known European banking institution.

But they’ve moved through multiple entities, across multiple accounts, before landing in the transaction. Nothing looks obviously wrong. 

What happens

Evidence is collected, but not interrogated. Plausibility is assessed and ‘passes on paper’. It passes because it exists, not because it makes sense.

3. Clean on paper. Risky in reality

Screening comes back clear. No sanctions hits. At the time of these transactions (2013–2016), the intermediary involved had no sanctions designation, which only came in October 2025. The structure was layered and offshore, but not through any jurisdictions that would have triggered an automatic flag, and there were no obvious high-risk business relationship ties.

Nothing technically fails.

What happens

Binary screening drives the outcome. No hit = low risk. The nuance never gets surfaced and critically, a clean screen at the time of onboarding tells you nothing about what that client relationship looks like a decade later.

The system says 'low risk', so the transaction moves forward.

4. The risk that shows up too late

The client is onboarded, the property transaction completes and the title transfers. Months or even years later, new adverse media appears, ownership structures shift, and the connections between entities become clearer.

No one re-checks, the system doesn’t flag anything, as the client was set as ‘low-risk’, so they are only due for a review three years later.  

What happens

AML is treated as a one-time event in practice, despite ongoing monitoring being a regulatory requirement. The trigger to reassess exists on paper, but if it relies on manual processes or a fixed review cycle, it won't catch a client whose risk profile shifts quietly over a decade.

Everyone assumes someone else is watching.

The shift firms need to make

Most firms miss this because their processes and systems allow them to. If AML is dependent on individual judgment, completed once and never revisited, or is easy to bypass under commercial pressure, it will break in exactly these scenarios.

What's required is a shift from policy on paper to systems that actually enforce it:

• Risk assessments that reflect the whole structure from the outset. Before any screening or verification step, firms need a framework that looks at the full picture of risk a new client or transaction presents: layered entities, jurisdiction combinations, intermediary relationships, and acquisition patterns, rather than evaluating each element in isolation.
• Structural screening that goes beyond binary hits. When a structure is layered across multiple entities and jurisdictions, the screening needs to be conducted on the full beneficial ownership tree, not just whether the immediate clients clear a sanctions list.
• Hard workflow controls that prevent progression when information is missing. If beneficial ownership isn't confirmed, the transaction shouldn't proceed. That needs to be a system constraint, not a judgment call.
• Ongoing monitoring that triggers on change, not just on a three-year review cycle. New adverse media, ownership shifts, or changes in the client's risk profile should automatically prompt reassessment, not sit unnoticed until the next scheduled review.
• Source of funds interrogation, not just collection. Documents need to be assessed for plausibility and coherence across the full chain of movement of assets, not just ticked off as received.

A skilled compliance officer reviewing this client should be able to connect the Isle of Man structure, the Cypriot passport, the clustering of acquisitions and the known intermediary, and surface it for escalation before the transaction progresses. Not because any single element failed, but because the overall picture warranted a closer look.

The problem isn't capability, it's capacity. When a compliance officer is managing hundreds of clients and relationships, the system's job is to make sure nothing like this slips through the gaps, flagging the pattern so the compliance officer can apply their judgment where it matters most.

Bottom line

The question isn’t whether your firm would onboard a client like this. It’s whether you would recognise it for what it is.

It won't arrive labelled as high risk. It will look like Birch Ventures, a valid entity, a clean jurisdiction and funds arriving from a reputable bank. Credible, fast-moving and unremarkable on paper.

The cases regulators are focused on aren't just the ones with obvious high-risk flags. They're the ones that passed every individual check, where the risk only becomes visible when you look across the whole client relationship at once. Catching that requires more than good policy. It requires systems built to connect the dots in real time. That's the difference between a policy that exists and a system that works effectively. 

Image source: Google Maps