Our monthly round up of news items which help businesses understand the risks around AML and more
Criminals lose, compliance wins, the smarter way to safeguard your business.
Cyber Security
AI fraud. Why banks are playing catch-up
Artificial intelligence is no longer a specialist tool used only by large tech firms and data scientists. It is accessible, easy to use, and increasingly being repurposed by criminals to make fraud faster, more scalable, and more convincing. As Tobias Thonak of BearingPoint puts it, AI can “turn even the most foolish into a cunning fraudster”, because it handles the hard work of writing, mimicking and scripting high‑quality content.
For the financial sector, that shift is profound. Generative AI can create realistic phishing emails, deepfake voices, synthetic identities and highly targeted social engineering campaigns that exploit specific people or weak points in a control framework. Where fraud once demanded patience, persuasion and technical skill, many of those requirements have fallen away, replaced by prompts typed into powerful AI models.
Why financial institutions are on the back foot
The finews.com article highlights a structural problem: banks and insurers are at an inherent disadvantage when facing agile, AI‑enabled cyber criminals. Heavily regulated organisations with complex legacy systems cannot change direction quickly, even when new risks are clearly emerging. Criminal groups, by contrast, have no regulatory constraints, can share tools, iterate rapidly, and test their methods across multiple institutions.
This asymmetry manifests in several ways
AI‑generated attacks can be refined continuously until they bypass existing controls, with lessons learned across different banks and insurers.
Legacy technology and fragmented data make it harder for institutions to deploy modern detection, monitoring and analytics tools effectively.
Governance processes, committee structures and risk appetites slow down the adoption of new defensive technologies compared to the pace of attacker innovation.
In simple terms, many institutions are fighting tomorrow’s AI‑enabled threats with yesterday’s systems and processes.
From static controls to intelligent defence
If AI is changing the threat landscape, financial institutions cannot rely on static, rules‑based controls alone. The article points towards a number of shifts that risk, compliance and security teams should already be considering:
Modernising technology stacks, so detection and response tools can be integrated rather than bolted on around legacy systems.
Improving data quality and internal sharing, allowing quicker identification of anomalies, patterns and emerging fraud typologies.
Using AI defensively, for behavioural analytics, anomaly detection and alert triage, instead of relying only on simple rule sets that attackers can learn and circumvent.
Strengthening sector collaboration, including information‑sharing on new AI‑enabled fraud techniques and common weaknesses.
These are not purely technical decisions; they involve culture, governance, investment priorities and a realistic conversation about risk appetite in an AI‑driven threat environment.
Implications for cyber, AML and financial crime teams
Although this is framed as a cyber‑risk issue, the consequences cut across AML, fraud, sanctions and broader financial crime functions. AI‑enabled fraud can affect onboarding (through synthetic or manipulated identities), payments (through convincingly authorised instructions), and investigations (through fabricated or altered digital evidence).
For practitioners, a few practical themes stand out
• Treat digital artefacts, voice, video, documents with more scepticism and look for corroboration.
• Understand how AI is being used inside your own institution, not just by attackers.
• Factor AI‑enabled threat scenarios into risk assessments, testing, and training, including tabletop exercises and red‑teaming.
None of this removes the need for core investigative skills and sound judgement. Instead, it underlines that cyber, fraud and AML teams must operate with an awareness that AI has changed both the scale and sophistication of the attacks they face
Comment – As AI continues to reshape the risk landscape, boards and senior management will expect clearer answers to a simple question, “are we genuinely equipped for AI‑enabled fraud, or are we still defending yesterday’s threats?”
Organised Crime
The Macau model. How Chinese Organised Crime Groups move money worldwide
Macau’s rise as a gambling powerhouse did not just transform the city’s skyline; it also provided the perfect conditions for a distinctive model of Chinese organised crime to take shape. Over time, VIP junkets, high‑roller gambling and side‑betting arrangements fused with underground banking and informal value transfer systems to create what many observers now describe as the “Macau Model”. At its core, this model is about quietly moving large volumes of value across borders for wealthy clients, corrupt officials and criminal networks, often far from the scrutiny of formal banking channels.
The infrastructure built around Macau’s casinos, junket operators, cash‑intensive front businesses, and settlement networks stretching deep into mainland China and the wider region proved highly adaptable. Even after Beijing’s crackdown on VIP junkets and the high‑profile fall of key figures in the sector, the underlying expertise and relationships did not disappear. Instead, elements of the Macau Model have migrated into new hubs and business lines, including offshore gambling, online scams and grey‑market investment schemes linked to property, hospitality and entertainment.
What makes this model particularly resilient is that it is not tied to Macau itself, but to a set of conditions that can be replicated elsewhere: a sizeable Chinese diaspora, demand for discreet capital movement, weak or uneven regulation, and politically connected intermediaries who can protect and facilitate activity. In these environments, the Macau Model serves as a template for blending criminal and licit funds, using a mix of underground banking, digital platforms and apparently legitimate enterprises to obscure the origin and ownership of money.
For financial crime and due diligence professionals, the key takeaway is that this is no longer a niche, location‑specific issue. The techniques refined in Macau now underpin regional and, increasingly, global value‑transfer networks used by Chinese organised crime groups and their partners. Understanding how the Macau Model works and recognising its hallmarks in new markets is essential when assessing exposure to high‑risk clients, counterparties and jurisdictions, particularly where there is a strong flow of Chinese capital and a history of regulatory gaps.
Comment -Is it time to start thinking about how SAFE your business is?, visit this page to find out more.
Regulatory
FCA’s new work programme: Data, duty and tougher oversight
The FCA’s 2026/27 annual work programme offers one of the clearest statements yet of how the regulator plans to supervise firms over the next year and the message is that oversight is about to get tougher.
Building on its five‑year strategy, the FCA sets out four strategic priorities: operating as a smarter regulator, supporting growth and competitiveness, helping consumers navigate their financial lives, and fighting financial crime. This is not just a policy roadmap; it is a signal that supervision will be more data‑driven, more outcomes‑focused and quicker to escalate where firms cannot demonstrate effective control.
A major theme running through the programme is the FCA’s ambition to become a “smarter” regulator by using data, digitised processes and analytics at scale. In practice, that raises the bar for firms: data quality, management information and reporting are now treated as core governance issues, not back‑office problems. Boards and senior managers will be expected to understand their firm’s risk profile, engage actively with regulatory issues, and evidence how controls operate in reality, rather than relying on dense frameworks that look impressive on paper but are poorly implemented.
Financial crime and AML also feature prominently. The government plans to legislate so that the FCA becomes the AML supervisor for legal, accountancy and trust and company service providers, bringing around 60,000 additional firms under its remit. That will require the regulator to deploy its technical capabilities “innovatively and at scale” to deliver more consistent oversight and better disruption of crime.
At the same time, expectations for existing regulated firms are rising: the FCA wants to see financial crime frameworks that work in practice, supported by good‑quality data, calibrated surveillance, and appropriate use of technology and AI within clear governance boundaries.
For compliance and risk teams, the practical takeaway is that the FCA is moving further towards outcomes‑based supervision. Firms will increasingly be judged on whether they can evidence good customer outcomes, resilient operations and effective control of financial crime risk, rather than simply show that policies exist.
With a more joined‑up approach between supervision, intelligence and enforcement, weaknesses surfaced through routine interactions are more likely to trigger formal action if they are not addressed. In this environment, strengthening fundamentals – governance, data, documentation of judgement calls and the real‑world performance of controls is likely to matter more than waiting for the next policy paper.
Comment – We help supervised firms strengthen their AML due diligence, investigations, and training so they can evidence robust CDD/EDD, mitigate reputational risk, and stay aligned with regulatory expectations.
Our new enhanced due diligence platform at EDD-Pro enables small businesses all the way to Compliance Teams streamline onboarding and investigations with integrated ID verification, structured searches, and investigator‑grade reporting.
