What Netflix's 'The Night Agent' Got Right about Terrorism Financing

Netflix recently released the third season of The Night Agent. Interestingly, the most dangerous moment in the first episode is not the car chase.

Don't worry - no spoilers ahead for those who haven't watched it yet.

In one early scene, an analyst working at FinCEN (the U.S. Financial Crime Enforcement Network) begins investigating a cluster of Suspicious Activity Reports, or SARs. The reports flag large fund transfers from several U.S. companies flowing into a single crypto wallet believed to be linked to a terrorist group. Just as the investigation begins to take shape, the analyst is instructed by his superior to drop it entirely.

For anyone working in compliance or financial crime prevention, that moment is more unsettling than any action sequence, because it exposes a gap that appears far too often in the real world.

Money Laundering (ML) vs Terrorism Financing (TF): Similar, but Not the Same.

Most compliance discussions treat ML and TF as interchangeable. They are not.

The simplest way to frame the distinction:

• Money laundering moves dirty money to make it appear legitimate.

• Terrorism financing can move perfectly clean / legitimate money to fund violence.

This reverses the usual direction of financial crime and changes the questions compliance teams need to be asking.

In AML investigations, the central question is "Where did the money come from?"

In countering financing of terrorism (CFT), the more critical question is "Where is this money going and for what purpose?"

The shift has real consequences for how institutions design transaction monitoring (TM), set risk appetite and train their staff.

Why Terrorism Financing Red Flags are Harder to Detect

One of the biggest operational challenges in CFT is that the transactions are often small — sometimes extremely small.

Terrorist operations can be funded with tens of thousands of dollars, or even less. These amounts may fall well below the thresholds that would normally generate an AML alert, and they may come from entirely ordinary sources:

•        A legitimate business

•        A charity or NGO

•        A family member's salary

•        A crowdfunding campaign

None of these sources would look suspicious on their own. That is precisely what makes TF so difficult to detect using traditional AML methods designed to catch criminal proceeds.

The Red Flags in The Night Agent

The show actually depicts a somewhat unusual TF pattern - large transfers, which are more characteristic of pre-operational logistics funding or a hybrid of money laundering and terrorism financing than typical small-ticket TF.

But look at the transaction pattern as a whole, and several classic terrorism financing red flags at once:

• Multiple unrelated corporate entities all sending funds to a single destination.

• Corporate entities acting as senders, obscuring the ultimate beneficial owners behind layers of business structure.

• A crypto wallet as the destination, which complicates tracing efforts.

• Large transfer volume suggesting layering activity before onward movement.

In a real investigation, seeing this combination would almost certainly escalate the matter beyond a routine review. It is not one red flag — it is four at once.

The Growing Role of Crypto in Terrorism Financing

Cryptocurrency is appearing with increasing regularity in terrorism financing typologies - and for reasons that are straightforward to understand.

It offers several advantages for illicit actors:

• speed of transfer

• cross-border reach

• pseudo-anonymity

• the ability to fragment funds across multiple transaction

The Financial Action Task Force (FATF) highlighted this trend in its July 2025 report on TF risks, noting that virtual assets are now part of a broader “mixed-use” financing toolkit alongside cash, hawala networks, and traditional financial systems.

That said, crypto is not the untraceable channel it is sometimes portrayed to be. Modern blockchain analytics tools can often trace transaction chains across multiple hops and wallet addresses. Investigators with the right tools can follow the money even through complex layering structures.

The challenge is rarely the technology. It is the institutional capacity and willingness to deploy it effectively.

The Compliance Failures in Season 3

The season doesn't just illustrate financial crime typology. It portrays several serious compliance failures, where each one compounding the next.

Tipping off. The superior's attempts to find out whether the analyst disclosed the SAR to anyone closely resembles a tipping-off scenario. In many jurisdictions, attempting to determine whether a financial intelligence filing has been made and to whom, can itself be an offence. Under Malaysia's AMLA, Section 14A prohibits any disclosure of an STR or its existence to an unauthorised party, with penalties of up to RM 3 million or five (5) years imprisonment.

Destruction of records.  Attempting to destroy SAR/STR-related records is an extremely serious act. In Malaysia, reporting institutions are required to retain transaction records for a minimum of six (6) years. Destroying such records, particularly in a terrorism financing context could amount to obstruction of a national security investigation, not just a record keeping breach.

Possible criminal complicity.  The superior's apparent awareness of the suspicious crypto wallet and his decision to actively suppress the investigation raises a harder question: at what point does suppressing financial intelligence become criminal complicity in the underlying offence? In most jurisdictions, including Malaysia - deliberately failing to report suspected terrorism financing is itself a criminal act.

Governance Lessons for Reporting Institutions

Shows like these are a reminder that the integrity of an AML/CFT framework depends not just on policies and procedures - but on whether those controls would actually hold under internal pressure.

• Access logs for suspicious transaction reports (STRs) should record who viewed, modified, or accessed the information.

• Deletion of filed STRs should be technically restricted, requiring multi-party authorisation or system-level controls.

• Whistleblower protection mechanisms are critical, allowing compliance professionals to escalate concerns - including anonymously if necessary.

These controls should not exist only in policy documents. They should be embedded in system design and operational processes.

Fiction - But Not Entirely

The Night Agent is, of course, a tv show.

But the compliance risks it illustrates - suppressed financial intelligence, destroyed records and institutional pressure to look the other way - are very real.

For compliance professional, sometimes the most important action is also the simplest: file the report, protect the record and stand firm.

When it comes to terrorism financing, that decision can have consequences far beyond regulatory compliance.

How Biji Deals Can Help

At Biji Deals, we help reporting institutions design AML/CFT frameworks that are not just technically compliant, but genuinely calibrated to both money laundering and terrorism financing risks.

Our team bring Big 4 consulting expertise to AML/CFT advisory, who understand the regulatory landscape and the operational realities institutions face - but we deliver that expertise at a fraction of the typical consulting cost.

If you would like to assess whether your AML/CFT controls are truly fit for purpose, we'd be happy to have a conversation.