Every compliance technology vendor in 2024 is selling AI. Every conference panel includes a discussion of how machine learning will transform AML. Every regulator is issuing guidance on responsible AI adoption in financial services. The hype cycle is at full velocity.
Some of it is warranted. Much of it is not. And a few of the risks are being systematically underestimated.
Having spent years working in both cybersecurity and financial crime compliance, I want to offer an honest assessment — not a vendor pitch, not a regulatory warning, but a practitioner’s view of what AI actually changes in the fight against financial crime and what it does not.
Where AI genuinely helps
Transaction monitoring is the area where AI has delivered the most tangible improvement. Traditional rule-based transaction monitoring systems generate enormous volumes of false positives — alerts that flag legitimate activity as potentially suspicious. Industry estimates consistently put false positive rates at 95% or higher, meaning that compliance analysts spend the vast majority of their time investigating alerts that turn out to be benign.
Machine learning models trained on historical SAR filings, investigation outcomes, and confirmed suspicious activity can significantly reduce false positive rates while maintaining or improving detection of genuine suspicious activity. This is not theoretical — several large banks have deployed ML-based monitoring systems and reported 50–70% reductions in false positive volumes, freeing analysts to focus on genuinely suspicious cases.
Network analysis is another area where AI adds real value. Identifying the relationships between entities — shared addresses, common counterparties, coordinated transaction patterns — is something that graph-based machine learning can do at a scale and speed that human analysts cannot match. The identification of shell company networks, layered transaction structures, and beneficial ownership chains all benefit from algorithmic analysis.
Where it is overhyped
“AI-powered KYC” is, in most implementations, pattern recognition applied to document verification — checking whether an ID photo matches a selfie, whether a document appears genuine, and whether the information on the document matches external databases. This is useful but it is not transformative. The hard part of KYC has never been document verification. It has been beneficial ownership determination, source of funds verification, and ongoing due diligence — areas where AI currently adds less than the marketing suggests.
“Automated SAR filing” is a concept I find genuinely concerning. A SAR narrative requires judgment — the analyst must explain why the activity is suspicious, what pattern it represents, and what additional information might be relevant. Automating this process risks producing narratives that satisfy the formal requirements but lack the analytical substance that makes SARs useful to law enforcement. A well-written SAR narrative is an investigative product. An auto-generated one is a compliance artefact.
Where AI creates new risks
The risk side is where my cybersecurity background becomes directly relevant.
Deepfake identity documents are already being used to defeat KYC processes. Synthetic images that pass automated document verification, AI-generated selfies that match synthetic IDs, and fabricated utility bills and bank statements are available for purchase on darknet markets. The arms race between AI-powered verification and AI-powered forgery is accelerating, and it is not clear that the defenders are winning.
AI-generated phishing is raising the bar for social engineering attacks. The Lazarus Group’s LinkedIn job-offer technique, which compromised the Ronin Bridge, required skilled human operatives to conduct weeks-long fake interview processes. AI can generate convincing professional correspondence, maintain consistent personas across multiple communication channels, and respond contextually to targets’ questions — at scale. The human cost of sophisticated social engineering is being automated away.
Voice cloning and video deepfakes are being used in authorised push payment fraud and business email compromise, with attackers impersonating executives to authorise fraudulent transfers. The UK has seen a significant increase in AI-enabled fraud cases, and similar trends are emerging globally.
What does not change
AI does not change the fundamental challenge of financial crime compliance: it is an adversarial domain. The criminals adapt. Every new detection technique produces new evasion techniques. Every new verification method produces new forgery methods. This dynamic predates AI and will outlast it.
AI also does not solve the institutional and cultural problems that underlie most compliance failures. TD Bank’s $3.1 billion penalty was not caused by inadequate technology. It was caused by a management decision to cap compliance spending. Binance’s $4.3 billion settlement was not caused by poor algorithms. It was caused by a deliberate decision not to build a compliance programme at all. No AI system can compensate for an institution that has decided, at the leadership level, that compliance is not a priority.
The most important variable in financial crime compliance remains what it has always been: institutional commitment. Technology is a tool. Commitment is a choice. AI makes the tool better. It does not make the choice for you.