This Point of View is for chief compliance officers, heads of financial crime, and BFS operations leaders rebuilding FCC for intelligence-led, AI-native operations.
Financial crime compliance (FCC) leaders can no longer rely on operating models built on more people, more reviews, and more rules. Anti-money laundering (AML) and sanctions fines totaled US$45 billion between 2000 and 2024, as reported by Financial News on February 20th, 2025. This was not due to lack of intent, but because these models were never designed for today’s threats. Rising fraud sophistication, synthetic identities, digital asset misuse, and regulatory fragmentation are pushing legacy approaches past their limits. The pressure on compliance and finance leadership to justify the ballooning costs is mounting, even as regulators are losing patience and criminal networks are growing more inventive.
Financial Crimes Enforcement Network (FinCEN); Office of the Comptroller of the Currency (OCC); Department of Justice (DOJ); Securities & Exchange Commission (SEC); Financial Industry Regulatory Authority (FINRA); Office of Foreign Assets Control (OFAC)
Source: FinCEN, DOJ, SEC, FINRA, OFAC, Gibson Dunn AML Review 2025, KPMG Regulatory Insights, Financial Crime News
This report offers compliance leaders practical guidance across the five operating model shifts (see Exhibit 2), moving beyond rules-based monitoring, unlocking real decision-making capacity, harnessing AI and automation, and building the data and intelligence ecosystems needed to stay ahead of financial crime.
Source: HFS Research, 2026
Rules-based monitoring sits at the core of FCC operations, and most leaders recognize its limits even as they remain dependent on it. At the first line of defense, L1 flags potentially suspicious activity based on predefined rules and thresholds. These rules are easy to explain and validate, but they cast a wide net, generating high volumes of low-context alerts that are also easy to game. Over time, L1 becomes a triage function rather than a true risk function. Because it operates as a stage-gate process, pressure cascades to L2, where analysts investigate flagged alerts, apply judgment, and decide whether to escalate, file a report, or clear the case. But by the time alerts reach them, investigators are already burdened with heavy lifting, before any real judgment can even begin.
A compliance leader noted that rules-based monitoring is structurally gameable, sophisticated actors know exactly how to stay below detection thresholds, and retraining machine learning models on historical suspicious activity reports (SARs) only reproduces the same blind spots. L1 has effectively become a volume delivery mechanism: one leader described receiving 90 flagged accounts across 10 triggers with no way to know which one matters, leaving downstream investigators to absorb the cognitive load. Investigators then spend most of their time on clerical assembly, pulling negative news, extracting know your customer (KYC) data, and stitching it together before any real judgment is applied.
To counter this, FCC leaders must take specific actions:
Decision-making capacity is one of the biggest constraints in FCC programs. The problem is not a lack of talent, but the misuse of talent. Highly trained compliance investigators are still doing clerical work: validating why a rule fired, pulling data from multiple systems, and building narratives to satisfy regulatory expectations. The work shifts from understanding risk to justifying alerts.
We’re not suggesting that FCC leaders should replace rules altogether. Rather, rules must make the process transparent, auditable, and easier to defend with regulators. What FCC leaders must do is change how work gets done. AI and automation should not replace decisions but be balanced with people.
The value of AI and automation extends beyond case handling. It also sits in other parts of compliance work, negative news and external data searches, SAR drafting, model documentation, validation workflows, and perpetual KYC, all of which require outsized effort. This is where AI and agentic AI can make a real difference: embedding those capabilities directly into the compliance function as part of a more intelligent workflow.
Pulling together relevant signals, continuously refreshing data, summarizing risk narratives, guiding next steps, and flagging inconsistencies across sources can reduce noise, improve context, and speed up decision making. The goal is not autonomous compliance, but a rebalancing of work within compliance so people remain focused on judgment, risk interpretation, and escalation, while technology handles the heavy lifting of data collection, triage, monitoring, and documentation.
Fraud and AML are increasingly discussed together, but the reality is more nuanced than a simple convergence. Banking and financial services (BFS) compliance leaders see clear value in bringing them closer from a data and intelligence standpoint, especially as mule accounts, scams, and illicit flows cut across both domains. Firms are increasingly reusing transaction monitoring signals and customer risk data across these workflows.
But full convergence has proved difficult. Fraud operates in real time and focuses on preventing losses and protecting customers. AML is more retrospective, heavily regulated, and shaped by supervisory expectations. Several institutions have tested convergence and stepped back, realizing that a single operating model can slow fraud response or add unnecessary complexity to AML. The direction of travel for FCC leaders is not full integration, but selective convergence through shared data, common risk signals, and aligned intelligence.
Public-private partnerships and ecosystem collaboration are becoming critical, but they are subject to tight regulatory oversight. The challenge for FCC leaders is to share intelligence against networked financial crime while staying within regulatory boundaries on data privacy, accountability, and the use of shared data.
Leaders should also prepare for an expanding risk perimeter across BaaS, fintech partnerships, and API ecosystems, where risk ownership is becoming harder to define. Regulators are pushing firms to prove they understand not just their customers, but also their partners, bringing know your partner (KYP) into sharper focus alongside KYC. This is where perpetual KYC extends to continuous monitoring of both customers and ecosystem relationships. Leaders should not hesitate to develop these partnerships; they must manage the added complexity and risk exposure by ensuring the ecosystem remains controlled, explainable, and well-governed.
Scaling with more people and rules is now unsustainable and misuses talent. FCC must shift from reactive, rules-driven approaches to intelligence-led, AI-native operating models that connect data, decisioning, and action.
For FCC leaders, the key recommendation is to rebalance effort between people, AI, and automation to restore decision-making capacity and improve risk outcomes. Keep judgment, accountability, and regulatory responsibility with people, but use technology to transform how compliance work gets done.
Register now for immediate access of HFS' research, data and forward looking trends.
Get StartedIf you don't have an account, Register here |
With the exception of our Horizons reports, most of our research is available for free on our website. Sign up for a free account and start realizing the power of insights now.
Our premium subscription gives enterprise clients access to our complete library of proprietary research, direct access to our industry analysts, and other benefits.
Contact us at [email protected] for more information on premium access.
If you are looking for help getting in touch with someone from HFS, please click the chat button to the bottom right of your screen to start a conversation with a member of our team.
