Key insights:

• • • The Panama Papers transformed beneficial ownership 鈥� The release of the Papers in 2016 changed the idea of beneficial ownership from a technical compliance footnote into a global policy imperative, and the pressure has not let up.

    • Regulatory responses have been significant but uneven 鈥� The EU has pushed forward aggressively, while US reforms under the Corporate Transparency Act have been substantially narrowed.

    • For compliance professionals, the enduring lesson is not about any single regulation 鈥� Rather, compliance professionals should have one goal: Maintaining the discipline of asking who, ultimately, is behind the transaction.

When 11.5 million documents from Mossack Fonseca were published on April 3, 2016, compliance teams across financial institutions around the world faced unprecedented pressure from senior leadership to prove they actually knew the true identities of their clients’ beneficial owners. A decade later, establishing that ultimate ownership remains both the most important and the most difficult task in anti-money laundering compliance.

A watershed moment, but not a starting point

It would be a mistake to credit the Panama Papers with inventing beneficial ownership as a compliance concern. The Financial Action Task Force (FATF), an intergovernmental organization created to promote anti-money laundering (AML) activities, had long emphasized the risks of anonymous shell companies. The United Kingdom was already developing its Persons with Significant Control register; and the United States鈥� Treasury Department鈥檚 Financial Crimes Enforcement Network (FinCEN) had a draft of customer due diligence guidance in circulation before a single Mossack Fonseca document was made public.

Yet, what the leak of the Panama Papers did was something more powerful than create law 鈥� it created political will.

The leak showed, with granular specificity, how shell companies, nominee directors, layered trusts, and intermediary accounts could be stacked together to place meaningful distance between regulators and the individuals who actually control the assets. These were not fringe techniques; rather, they were routine services offered at scale to clients in more than 200 jurisdictions. The “gatekeeper problem” 鈥� the tendency of lawyers, accountants, and formation agents to introduce clients without responsibility for verifying who those clients ultimately were 鈥� was no longer theoretical. It was documented, widespread, and systemic.

What the decade of response produced

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

In the US, FinCEN’s 2016 CDD Final Rule standardized what many institutions were doing selectively: requiring identification and verification of beneficial owners of legal-entity customers using a 25% ownership threshold and a control prong. For the first time, this was an enforceable expectation across covered financial institutions 鈥� not a best practice, but a mandate.

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

Globally, the momentum was stronger. The European Union moved through successive Anti-Money Laundering Directives, expanding registration requirements and tightening obligations for designated non-financial businesses and professions. Ultimately, the EU established the Anti-Money Laundering Authority (AMLA) in its 2024 package to deliver cross-border supervisory consistency. And the FATF’s revised Recommendation 24 in 2022 raised the bar further, shifting the mission from collecting beneficial ownership data to ensuring it is accurate, current, and verifiable, with timely access for competent authorities. Having a register is not the same as having reliable information, and regulators have spent a decade making that distinction explicit.

The 2020 FinCEN Files added a further dimension. Where the Panama leak exposed the formation agents who were enabling shell company abuse, the FinCEN Files implicated the banks themselves, showing that suspicious activity reports (SARs) were being filed on transactions that institutions continued to process. Together, these successive leaks sustained the political will that the Panama Papers first generated.

The data is only as good as what’s behind it

The Panama Papers exposed that beneficial ownership frameworks could be gamed in ways that left regulators technically satisfied but substantively blind. Nominee arrangements created paper trails that went nowhere, and outdated register entries gave the appearance of compliance while concealing real control.

The lesson that proved most durable is that transparency requires verification, accessibility, and enforcement working together. A register without verification is a filing cabinet, verified data without accessible reporting channels is compliance theater, and accessible data without enforcement consequences for misrepresentation is an honor system.

For compliance professionals today, this translates into a concrete operational expectation. Enhanced scrutiny for complex legal entity customers is not optional. Nominee arrangements, offshore links, unexplained control structures, and identifying a politically exposed person (PEP) are not risk factors to note and move past. They are the scenarios that point to where the framework is most likely to fail, and examiners know it.

Where the picture gets complicated

Today, further progress is real, but uneven. In the US, the Corporate Transparency Act of 2021 was the most ambitious attempt to extend beneficial ownership reporting to companies themselves, not just the financial institutions serving them.

Under FinCEN’s March 2025 interim final rule, that ambition has been significantly narrowed: US-formed entities and US persons are now exempt, with reporting obligations falling primarily on certain foreign entities registered to do business domestically. That outcome followed a prolonged and contentious legal battle, involving multiple conflicting injunctions, a Supreme Court intervention, and sustained pushback from small business and industry groups, which ultimately made a political resolution rather than a judicial one the path of least resistance for the U.S. Treasury Department.

听The core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it.

Real estate reporting faces its own legal turbulence, with the Residential Real Estate Rule vacated and on appeal; and investment adviser AML coverage has been pushed to 2028, a delay driven in part by industry objections and competing agency priorities. These are not minor footnotes; rather, they are meaningful gaps in a system that was supposed to be closing.

Enforcement outcomes globally have been equally inconsistent. Panama’s own courts in a major Panama Papers-related trial in 2024. And Germany charged , the firm’s co-founder, in 2026. Jurisdiction still matters enormously, which is precisely what offshore structures were designed to exploit.

The durable lesson

Of course, none of this means the decade of reform was without consequence. It simply means the work is not done.

The Panama Papers’ most important legacy is not any specific regulation; rather it鈥檚 a permanently elevated expectation around knowing your customer, not just by name, but by ultimate beneficial owner, control structure, the credibility of information on file, and the ongoing monitoring that keeps that picture current. The most effective AML programs treat beneficial ownership as a living element of the customer relationship, not a checkbox at onboarding.

Still, the core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it and made it significantly harder to exploit, but as compliance professionals know better than most, the absence of a finding is not the same as the absence of risk.

You can find out more about the challenges of fraud identification and prevention here

Key insights:

• • • Fraud management works best as a connected workflow 鈥斕鼳ligning corporate fraud, AML, compliance, and investigation teams can strengthen visibility and response.

    • Monitoring must move beyond on-boarding听鈥� Existing customers require ongoing risk-based review, smart alerts, and transaction monitoring that can identify potentially suspicious behavior without overwhelming teams.

    • AI can accelerate investigations, but humans remain essential听鈥� AI-driven automation helps process data and prioritize alerts; however, skilled analysts are still needed to provide context, judgment, and industry expertise.

Fraud prevention represents only the first step in comprehensive fraud management. Organizations must develop robust detection and investigation capabilities to identify fraudulent activity and respond effectively.

Indeed, the most successful organizations think about fraud management in a systematic way, says Andrew Pellington, a senior director in Risk & Fraud solutions at 成人VR视频. 鈥淭he most successful organizations think about fraud management in more of a workflow phase that moves systematically from initial prevention through ongoing detection and into detailed investigation,鈥� explains Pellington.

Phases of organizational structures

Understanding how these phases interconnect and then building the proper organizational structures to properly execute them can help corporate risk, fraud & compliance teams create the foundation for effective fraud protection. These phases include:

1. Build organizational alignment across fraud and compliance functions

One of the most significant structural shifts in fraud management is the convergence of corporate fraud and anti-money laundering (AML) departments. Historically siloed, these functions are increasingly merging because fraud and money laundering are deeply intertwined. Fraudsters commit fraud, obtain illicit proceeds, and then need to launder those funds 鈥� effectively, two sides of the same coin, Pellington notes.

That means, financial and non-financial institutions can benefit from unified teams sharing data, processes, and expertise; and this convergence extends beyond AML and fraud to prevention, detection, and investigation phases. Organizations can gain competitive advantage when these functions share integrated toolsets, consolidated data sources, and cross-departmental communication. Before sharing knowledge across institutions, however, organizations must first establish robust information sharing across their own departments.

2. Establish monitoring systems for existing customers and accounts

As your organization moves through the fraud management workflow, the focus shifts from high-volume account opening activities to continuous monitoring of existing customers and account holders. This phase requires different tools, processes, and resources than does prevention.

Monitoring 鈥� both proactively and reactively 鈥� allows organizations to identify suspicious patterns and behaviors, then sophisticated systems must track transactions across time, identify deviations from normal behavior, and flag accounts for review.

Proactively, organizations should segment customers by risk level and establish review cycles: monthly for high-risk customers, semi-annual for medium-risk, and annual for lower-risk accounts. Reactively, they should deploy adverse media and sanctions alerts against public records, coupled with transaction monitoring models that specifically identify potential money laundering or structuring patterns.

“As you move through the monitoring, now you’re looking at your existing customers and account holders, and then you get alerts thereafter,鈥� Pellington explains.

3. Implement alert systems and prepare for regulatory scrutiny

While effective monitoring generates alerts that bridge passive systems and active investigation teams, these alerts need to be calibrated to identify genuine fraud risks without overwhelming investigators with false positives. This requires regular tuning and coordination between technology and investigation teams.

Organizations should adopt scenario planning and war games to test their processes by simulating potential fraud cases, regulatory inquiries, and adverse media incidents. Fraud incidents are a matter of when, not if, Pellington says, and those organizations that proactively test their response processes 鈥� rather than waiting for actual events 鈥� will maintain regulatory confidence and demonstrate institutional readiness.

4. Leverage AI while maintaining human expertise in investigations

While AI-driven automation of some work processes is a big advantage, deeper dive investigations require specialized expertise that cannot be fully automated. This is where generative AI (GenAI) and agentic AI can create significant opportunities. Agentic AI can prescreen alerts and determine which warrant investigation; and GenAI can rapidly produce enhanced due diligence reports by pulling together transaction histories, communications, vendor relationships, and public records.

Automating this work frees specialized fraud analysts to focus on what humans do best 鈥� applying industry knowledge and making judgment calls. Indeed, investigation is equal parts art and science, Pellington explains, adding that AI excels at the science 鈥� processing data at scale, and humans excel at the art 鈥� understanding context, industry fraud typologies, and customer relationships.

5. Transform data into knowledge and wisdom

The final critical gap Pellington identifies is the journey from information to knowledge to wisdom. Organizations possess unprecedented volumes of data, yet many drown in it without extracting actionable intelligence.

More data doesn’t guarantee better decisions; and organizations must elevate information to knowledge, understanding what their peers are doing, what best practices exist, and which approaches work best for the organization. Wisdom then comes from sharing across institutions, learning from industry experts, and avoiding mistakes others have experienced. This requires deliberate peer learning and thought leadership engagement.

Preparing for the future of fraud

Fraud risks are evolving fast, and those organizations best positioned to keep up will be the ones that keep their teams connected, sharpen their investigative tools, and pair AI with human judgment to act faster and stay more resilient while proactively transforming data into actionable wisdom.

By implementing these five phases of fraud protection, organizations can improve their detection and investigation capabilities and create comprehensive fraud protection that evolves with emerging threats.

You can find out more about ways to

Key insights:

• • • AI is supercharging old fraud schemes听鈥� By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.

    • The real vulnerability may be internal silos听鈥� Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.

    • Institutions already have the tools to respond听鈥� Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats 鈥� but only if teams connect and act together.

Fraud and crime existed long before AI, of course, but today鈥檚 technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions by 2027 in the United States alone, and of detected fraud attempts on financial institutions use AI 鈥� and of these, 29% are successful.

To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution鈥檚 fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.

And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:

• • • use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
    • use of deepfake identities to gain employment, particularly by North Korean IT workers;
    • AI-enhanced 鈥淐EO frauds鈥� to deceive staff into taking unauthorized actions; and
    • Bank customers may be targeted by fraud too, presenting further risk to financial institutions.

Let鈥檚 look at these threat vectors individually:

Vector 1: Synthetic identities and KYC/CDD

Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.

This threat is real and happening now: identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to , synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.

Vector 2: North Korean IT workers

North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are almost $800 million annually for the regime.

Institutions deceived into employing these workers are not only against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.

Vector 3: CEO Fraud

A 鈥淐EO fraud鈥� is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.

In one of the more well-known examples, in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering鈥檚 CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a in which the target recognized many of their colleagues 鈥� unfortunately, all of them were deepfakes.

Vector 4: Frauds targeting customers

Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic 鈥減artner,鈥� fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target鈥檚 responses and behaviors.

Creating a cross-functional and unified response

The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.

For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.

Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization鈥檚 cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.

Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.

Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, 鈥渘ear misses,鈥� and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.

For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.

While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors鈥� sophisticated AI-enabled threats.

You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here

Key insights:

• • • Define your risk appetite 鈥� A clearly defined fraud risk appetite aligns prevention efforts with strategic objectives and ensures accountability by establishing acceptable levels of fraud risk across the organization.

    • Create a fraud-specialized team 鈥� Dedicated ownership of the vendors that supply fraud solutions by a fraud-specialized team 鈥� rather than by the procurement function 鈥� is critical to maximizing technology performance and adapting to emerging threats.

    • Establish a specialized prevention division 鈥� The rise of sophisticated scams demands the creation of a separate, specialized prevention division to avoid overburdening core fraud teams and ensure targeted, effective responses.

Corporate fraud represents one of the most significant risks facing organizations today. Yet many companies lack the structured governance and technology infrastructure needed to combat fraud effectively.

The solution requires that comprehensive fraud prevention frameworks be built on clear governance, proper technology deployment, and data-driven insights, according to Aaron Frye, Founder & CEO of Lucid Point Consulting. Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results. These five pillars include:

1. Develop a fraud risk appetite

Effective fraud prevention begins with a well-defined fraud risk appetite that tells the right story to the right stakeholders. Your framework must communicate to your board, executive leadership, and operational teams the level of fraud losses your organization should tolerate, and in which areas you should prioritize fraud prevention investments.

The fraud risk appetite framework must address several key considerations; for example, it should define the level of fraud risk that aligns with the organization’s growth objectives, identify the areas of greatest vulnerability, and evaluate which investments will yield the strongest return. Equally important is the ongoing monitoring and communication of progress through regular reporting on fraud risk metrics, vendor assessments, and investigation outcomes. These actions demonstrate to stakeholders that fraud prevention remains an active priority for the organization and ensures that fraud risk continues to inform organizational decision-making.

2. Establish clear ownership of risk-solution vendors

Many organizations invest significantly in fraud detection tools only to see disappointing returns. The problem often lies not in the tools themselves, but in unclear ownership and accountability for their performance.

Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results.

If your organization lacks a designated person or team within your fraud strategy function whose job it is to ensure the risk-solution tools you鈥檙e getting from vendors are the best for your enterprise, you likely aren’t getting the most out of your vendors. This dedicated fraud service ownership role must act as your internal champion, evaluating vendor performance, staying current with product enhancements, and ensuring integration with other fraud prevention initiatives.

Critically, procurement, sourcing, and vendor management functions should never own this role. These teams, by the nature of their titles and responsibilities, don’t prioritize fraud. They lack the specialized knowledge required to assess whether your fraud detection technology is performing optimally or adapting to emerging threat landscapes. Without dedicated fraud expertise overseeing your technological investments, advanced tools sit underutilized and critical fraud signals go undetected.

3. Develop a fraud governance function

Every organization should have a dedicated fraud risk governance team within its fraud risk management organization. This governance function serves as your second line of defense, working proactively to reduce operational chaos within your fraud strategy, operations, and investigation groups.

If a non-fraud governance function owns fraud governance, you are guaranteed not to be getting the best form of governance. Fraud is a specialized discipline requiring dedicated expertise and focus; and your governance team must develop policies, establish standards, monitor control effectiveness, and ensure consistent application of fraud prevention practices across the enterprise.

4. Document existing risks and resource gaps

One of the most important responsibilities of your fraud governance function is identifying and documenting the areas related to fraud risk that your current fraud risk teams don’t have time to review. Due to capacity constraints, it is impossible for many fraud risk teams to cover all open gaps. Your organization must understand those open gaps and not be ashamed to address them.

Create an action plan that documents open risk and self-identified issues that your current team cannot adequately address. This transparency demonstrates clear-eyed realism about your organization鈥檚 limitations and creates the business case for requesting additional resources or engaging external consultants to help close these risk gaps.

5. Address the growing scam-prevention challenge

needs its own prevention strategy division within your fraud risk function. Compromised business email, investment scams, and vendor fraud schemes represent an entirely new category of fraud risk that demands specialized attention.

Every organization should have a dedicated fraud risk governance team that serves as its second line of defense, working proactively to reduce operational chaos within corporate strategy, operations, and investigation groups.

There has never been a full manageable grip on fraud prior to the spike in scams. Therefore, you cannot expect your existing fraud risk teams to tackle a new wave of scams as a priority as well as to manage traditional fraud prevention responsibilities. Your core fraud function manages internal control systems, transaction monitoring, and investigation protocols. Adding comprehensive scam prevention to this workload without dedicated resources guarantees that identifying and preventing scams will receive insufficient attention.

Establish a dedicated scam-prevention division focused specifically on emerging scam threats, employee education, scam-specific prevention technology, and response protocols. This specialized approach ensures sophisticated scam schemes receive the expertise and resources necessary while your core fraud function continues addressing traditional fraud prevention requirements.

Going forward into the fight against fraud

In an era of escalating fraud threats, reactive detection is no longer sufficient. Organizations must adopt a proactive stance grounded in strong governance, clear accountability, and strategic resource allocation.

By defining a fraud risk appetite, assigning ownership of fraud prevention tools, strengthening governance, documenting unaddressed risks, and establishing a dedicated scam prevention function, companies can build resilient, forward-looking fraud prevention frameworks. These five pillars enable organizations to anticipate threats, allocate resources effectively, and protect both financial performance and reputational integrity.

Today, the path to fraud resilience begins not with technology alone, but with deliberate, enterprise-wide commitment to proactive risk management.

You can find out more about ways to

Key insights:

• • • Conflict of interest doesn’t start with bad intent 鈥� Often, conflict of interest starts with tenure, trust, and relationships that slowly blur the line between good judgment and personal interest.

    • The real exposure isn’t the fraud itself 鈥� The real damage from conflict of interest can be years of skewed vendor decisions, above-market pricing, and lost competitive ground.

    • Companies shouldn鈥檛 treat conflict of interest as a disclosure problem 鈥� Companies would do well to remember that often conflict of interest is really a data and systems problem.

His access logs were clean, so it took weeks to find out what actually happened. He had been borrowing colleagues’ IT logins, who had handed them over without much thought, even though they knew it broke policy. They just didn’t think it mattered. He used those logins to steer million-dollar contracts to selected vendors who were paying him kickbacks.

The company鈥檚 conflict of interest policy existed, and people had signed it. Yet, nobody checked whether anyone followed it. And this scheme wasn’t even caught internally. Fortunately, someone outside found it.

This gap between knowing something is wrong and believing it matters 鈥� that鈥檚 where conflict of interest lives.

The financial exposure goes well beyond the kickback itself

The kickback that was paid to an insider is not the real cost to the company. The real cost is what happens while nobody is looking. As a result of this fraud, this company didn鈥檛 even know they were experiencing years of sourcing decisions that were shaped by hidden interests, vendors who never got a fair shot, and pricing that stayed above market price because the person managing the relationship had a reason to keep it there.

Throughout many industries, the numbers back this up. The from the Association of Certified Fraud Examiners (ACFE) found corruption in almost half (48%) of all fraud cases. Median loss for corruption schemes was around $200,000, and the average scheme run for about 12 months before anyone catches on. Not surprisingly, 87% of conflict-of-interest fraud perpetrators had no prior criminal record. Indeed, they were trusted employees, not career criminals.

What makes this worse is that most organizations have no reliable way to catch it. Across industry guidance, compliance publications, and professional forums, a consistent picture emerges: The majority of organizations rely entirely on disclosure forms and self-reporting to manage conflicts of interest. Leading compliance expert, Rebecca Walker has publicly admitted that 鈥� and even though the tools exist, almost nobody is using them.

The statistics, however, only capture what gets caught. The psychology of how it starts is harder to measure 鈥� and more important to understand. Conflict of interest rarely begins with a plan to steal. Rather, it starts with tenure, trust, and relationships that make someone hard to replace. Over time, the line between good judgment and personal interest doesn’t get crossed, it just disappears.

Taking a more structured approach

Most companies rely on disclosure forms, ethics training, and a code of conduct. They want to tell people what a conflict looks like, ask them to report it, and assume they will. Too often, they won’t.

Disclosure forms ask employees to self-report behavior they often don’t recognize as problematic, and those who do recognize it worry they’ll be investigated or treated unfairly themselves. They’ve watched junior staff held to strict standards while senior leaders get a pass. Unfortunately, that teaches everyone the same lesson: Stay quiet. When 85% of companies with a code of conduct still have fraud at this scale, the problem is not what people know, rather it鈥檚 how the program is built.

These failures point to three specific gaps in how most organizations approach conflict of interest: i) how they gather information; ii) how they monitor risk; and iii) how they receive reports. A structured framework 鈥� one based on concepts of design, detect, and deploy 鈥� can address each one of these gaps directly, with each component being measurable in financial terms.

Design: Are you collecting facts or asking people to confess?

Take a look at how you approach employees around conflict-of-interest issues. Are you seeking information or just generally hoping the employee admits wrongdoing, even inadvertently. A better approach could be to ask specific questions: How long has the employee worked with this vendor? Can the employee award contracts to them? Does the employee have any ownership stake in a company on the approved vendor list?

Let the employee give the facts and then let the system make the call. When you separate sharing information from being judged for it, people actually share and you get better data. And better data means better procurement decisions. That is not a compliance win 鈥� that鈥檚 a business win.

Detect: Are you looking for conflicts or hoping someone speaks up?

Run your vendor list against your employee records and flag matching addresses, phone numbers, and bank accounts. Check public registries for shared directors between your staff and your suppliers. Look at who has been awarding contracts in the same role for years without rotating, and managers who keep hiring from former employers.

Any company with an ERP system and an HR database can run these checks quarterly. And ACFE data underscores the value in taking the proactive approach: On average, companies using automated transaction monitoring catch fraud within six months and lose about $83,000; and companies that wait for law enforcement to alert them to the fraud take 24 months and lose $675,000.

Deploy: Is your hotline a business tool or a poster on a wall?

Tips catch 43% of all fraud 鈥� more than audits, management reviews, and law enforcement combined. Companies with hotlines lose $100,000 in median fraud; but companies without them lose $200,000. A working tips hotline can cut your losses in half.

However, most hotlines are not functioning as intended. They exist on paper without the visibility, trust, or independence required to generate reliable reports. For example, a senior executive was steering contracts to his own associates. And even though a company hotline existed, the executive actually sat on the committee that received the reports. The tool was built to catch misconduct and was working properly, yet it was controlled by the person committing the fraud. The matter had to be escalated outside normal channels, and the senior executive was eventually fired for cause.

Almost half (46%) of employees who report misconduct face retaliation, according to the , from the nonprofit Ethics and Compliance Initiative. When that is the outcome, silence becomes the rational choice. If you want your hotline to work, promote it every quarter. Show people what was reported and what happened because of it. Make sure no single person can block or read a report before it reaches the right people. Being that proactive around your hotline will give employees proof that the system protects them.

Is it worth the investment?

Of course, the question is not whether your company has a conflict-of-interest policy, it most likely does. Rather, the question is whether you would know if someone were breaking it right now.

Companies that design better fact-gathering, detect through monitoring, and deploy trusted reporting can do more than catch fraud early. They can buy from better vendors, compete on fairer pricing, protect their board from liability, and build a culture in which raising a red flag is seen as protecting the business.

If the honest answer is that you would not know if someone was violating your company鈥檚 conflict of interest policy, then business case for being more proactive has already been made.

You can find more about how companies can best manage business fraud here

Key insights:

• • • Getting at the core legal question 鈥� In a case brought by defendant Ongkaruck Sripetch, the Supreme Court is deciding whether the SEC must prove investors suffered measurable financial loss before courts can order disgorgement, which would require fraudsters to give up illegal profits.

    • Why it鈥檚 high-stakes 鈥� Disgorgement is a major SEC enforcement tool 鈥� representing billions of dollars annually 鈥� so a new requirement to prove investor losses could sharply limit when and how much the SEC can recover.

    • How the justices seemed to lean (so far) 鈥� Questions at the argument before the Court suggested skepticism toward Sripetch鈥檚 position, with several justices asking why it would be an unfair penalty to take back ill-gotten gains and noting the practical difficulty of proving each investor鈥檚 exact loss.

If you鈥檝e ever wondered how the U.S. Securities and Exchange Commission (SEC) actually gets money back after it catches a fraudster, one of its biggest tools, disgorgement, is now under the microscope. This week, the U.S. Supreme Court heard arguments in a case, Sripetch v. SEC, that sounds technical on paper but has at its core a simple question: When the SEC makes a fraudster give up illegal profits, does it have to prove that investors suffered measurable, out-of-pocket losses first?

The case centers on Ongkaruck Sripetch, who the SEC says pocketed illicit proceeds through a classic pump-and-dump scheme from 2013 to 2017. Pump-and-dumps often involve penny stocks in which a person will hype up the price of these thinly traded stocks, then sell into the price spike they caused and walk away richer. Other stock traders who bought into the hype are the ones left holding the bag.

Sripetch admitted violating securities law and, in his subsequent criminal case, was sentenced to 21 months in prison. Separately, in the SEC鈥檚 civil action, a federal court in California ordered Sripetch to repay more than $3 million in ill-gotten gains plus interest.

The Supreme Court case isn鈥檛 a serious argument against the SEC鈥檚 ability to seek disgorgement 鈥� numerous courts have recognized the remedy for years, and Congress has since written the SEC鈥檚 ability to pursue it into federal law. The core question in the case is narrower, yet crucial for the SEC鈥檚 mission. It asks whether the SEC must show that victims suffered pecuniary or economic harm before a court can order disgorgement. Federal appeals courts have split on that point, which is why the Supreme Court agreed to take the case.

What is disgorgement, exactly?

Think of disgorgement as a legal give it back order. If a person or company makes money by breaking the securities laws 鈥� say by manipulating prices, lying to investors, or running a Ponzi-style scheme 鈥� disgorgement is designed to strip the profits away from that wrongdoing and the wrongdoers. In theory, it鈥檚 not about punishing someone for being bad, rather it鈥檚 about making sure crime doesn鈥檛 pay.

In real markets, harm can be scattered across thousands of trades, mixed up with normal price swings, and hard to trace to one bad actor. Disgorgement, on the other hand, gives securities regulators a way to focus on the part that鈥檚 often the clearest: How much ill-gotten profit the fraudster made.

Indeed, that not a punishment framing is important because the SEC has other ways to punish those convicted of securities law violations 鈥� such as civil penalties, disbarment from serving as an officer or director, industry suspensions, and more. Disgorgement is supposed to be different 鈥� an action that aims at profits, not pain. The government鈥檚 position in the Sripetch case puts it bluntly: Disgorgement is meant to strip ill-gotten gains from wrongdoers, not to compensate victims for their losses.

And disgorgement is not a niche tool. The SEC regularly collects big sums of seized money through disgorgement. According to recent figures, the SEC obtained about $1.4 billion through disgorgement in fiscal 2025 (excluding certain amounts), and $6.1 billion the year before, which represented nearly three-quarters of its total financial penalties for that year.

Those numbers may help explain why this Supreme Court fight is being watched so closely: The outcome could either keep the SEC鈥檚 playbook intact or force it to do a lot more legwork before it can ask courts to order payback.

The arguments before the Court

Earlier this week, both sides argued before the Supreme Court as to the potential future use of disgorgement and what requirements the SEC might have to meet when requesting court to order it.

Sripetch鈥檚 argument 鈥� Lawyers for Sripetch told the Court that the SEC shouldn鈥檛 be able to get disgorgement unless it can show that investors actually suffered financial harm, such as a price drop caused by the fraud or some other measurable loss. If the SEC can鈥檛 prove that kind of harm, the lawyer argues, then making Sripetch pay money looks less like giving it back and more like an impermissible penalty that the SEC is not allowed to levy.

The government鈥檚 argument 鈥� Lawyers for the U.S. Justice Department, defending the SEC, said the proof-of-loss requirement makes no sense. Disgorgement, in their view, is about the defendant鈥檚 gains, not the victim鈥檚 losses. One government lawyer summed it up as a straightforward principle: Disgorgement is intended to ensure a defendant does not profit from their own wrongdoing.

At this week鈥檚 argument, the justices sounded (at least generally) more sympathetic to the government than to Sripetch. Justice Amy Coney Barrett pressed the defense on its basic logic: If the court is only taking away ill-gotten gains 鈥� money the wrongdoer was never entitled to 鈥� why is that a penalty at all? Justice Ketanji Brown Jackson made a similar point, suggesting disgorgement would only feel like punishment when someone is forced to pay money that was rightfully theirs.

When Sripetch鈥檚 lawyer suggested the SEC should have to identify and prove each victim鈥檚 dollar loss, Justice Sonia Sotomayor鈥檚 response was basically, Why would anyone bother? If the SEC has to run a mini-trial on every investor鈥檚 exact harm just to reclaim the fraudster鈥檚 profits, disgorgement would be unworkable in many cases.

The practicality of that point is a big deal in securities fraud. In real markets, harm can be scattered across thousands of trades, mixed up with normal price swings, and hard to trace to one bad actor. Disgorgement, on the other hand, gives securities regulators a way to focus on the part that鈥檚 often the clearest: How much ill-gotten profit the fraudster made. The idea is deterrence-by-math 鈥� if you can鈥檛 keep the profits, the incentive to run the scheme shrinks.

The Supreme Court’s ruling, when it comes, could re-shape how the SEC negotiates settlements, litigates fraud cases, and talks about remedies and punishments going forward.

Still, some justices raised broader concerns about how disgorgement gets used in the real world, such as whether certain applications start to look punitive, or whether they raise questions about a defendant鈥檚 right to a trial by jury. However, the Court also seemed interested in deciding only the question of the requirement to prove victims鈥� losses and leaving those bigger constitutional debates for another day.

Why this matters (even if you aren鈥檛 the SEC)

If the Supreme Court agrees with Sripetch and requires proof of investor pecuniary harm, the SEC could face a higher hurdle in cases in which misconduct is real, but losses are tough to quantify on a trade-by-trade basis. That could mean fewer disgorgement awards, smaller ones, or more pressure to rely on classic penalties instead.

If the Court backs the government, however, disgorgement stays what it has largely been 鈥� a fast, flexible way to reclaim profits from securities fraud and a core part of how the SEC tries to keep the securities markets honest.

Either way, the ruling will shape how the SEC negotiates settlements, litigates fraud cases, and talks about remedies and punishments going forward. With the Court expected to issue its decision by the end of June, securities lawyers and stock market mavens will be keeping an eye on this case.

You can find more about the challenges facing the SEC here

Key insights:

• • • SAR volume is significantly underreported 鈥� Continuing and amended filings add approximately 20% to the official count yet remain invisible in trend analyses.

    • Filing activity is highly concentrated 鈥� A few large financial institutions dominate SARs volume, meaning trends reflect their practices more than systemic changes.

    • Agentic AI will drive a surge in SARs 鈥� Agentic AI risks increased noise over actionable intelligence, without addressing the unresolved question of whether current filings yield meaningful law enforcement outcomes.

The Suspicious Activity Reports (SAR) that financial institutions file with the U.S. Treasury Department鈥檚 Financial Crimes Enforcement Network (FinCEN) provide valuable insight, although they may not offer a comprehensive picture.

Prior to meaningful discussions regarding the future of SARs, it is essential for the financial crime community to clarify what is being measured. In 2025, for example, SAR filings of more than 4.1 million, representing an almost 8% increase compared to the total number of SARs filed in 2024.

Every figure FinCEN has published reflects original SARs only. Continuing activity SARs, which represent roughly 15% of all filings, are submitted under the original Bank Secrecy Act (BSA) identification number and never appear as new filings. Corrected and amended SARs add another 5% on top of that. This makes the real volume of SARs activity approximately 20% higher than what is reported.

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day.

Recent FinCEN guidance giving financial institutions more flexibility around continuing activity SARs sounds significant on paper, but as former Wells Fargo BSA/AML chief Jim Richards points out: “It won’t change the reported numbers 鈥� because those filings were never counted to begin with.” Financial crime professionals need to keep that gap in mind every time a trend line gets cited.

2025 was steady, not spectacular

There were roughly 300,000 SARs filed every single month of 2025, and the most notable thing is that nothing notable happened. That is likely a first on the volume side and worth acknowledging, but beyond that milestone the year did not hand financial crime professionals anything noteworthy. In a space that has dealt with pandemic distortions, crypto chaos, and fraud spikes that seemed to come out of nowhere, steady volume and predictable patterns are a little surprising. A quiet data set, however, is not the same as a quiet landscape, and financial crime professionals who are reading stability as stagnation may find themselves flat-footed when the numbers start moving again.

For example, one of the most underleveraged insights in the SARs space is just how concentrated filing activity really is. The numbers are stark: The top four banks file more SARs in a single day than 80% of the rest of the banks file in 10 years, according to 2019 data from a .

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day. “50 a year versus 500 a day,” notes Wells Fargo鈥檚 Richards, adding that such asymmetry has real implications for how the financial industry interprets trends. Meaningful movement in SARs data, up or down, is almost entirely dependent on what a handful of mega-institutions decide to do.

Not surprisingly, money services businesses (MSBs) are the second largest filing category, and virtual currency exchanges are almost certainly driving recent growth there, even if outdated category definitions make that difficult to confirm directly. Credit unions round out the top three.

The filing philosophy hasn’t changed and shouldn’t

Regulatory noise occasionally suggests that institutions should be more selective about what they file. However, compliance and legal reality have not shifted. No institution has ever faced serious consequences for filing too many SARs, and the cases that result in enforcement actions, reputational damage, and regulatory scrutiny are consistently about missed filings or late ones.

鈥淵ou’re not going to get in trouble from filing too much,鈥� Richards says. 鈥淣obody ever has, and I doubt if anyone ever will.” For financial crime professionals, the calculus remains exactly what it has always been 鈥� when in doubt, file. That posture isn’t going to change, and frankly it shouldn’t.

Yet, here is where the SARs space gets genuinely interesting. Agentic AI use in SARs filings 鈥� systems in which multiple AI agents work through a case from screening to decision to documentation 鈥� is beginning to move from concept to deployment. The impact on filing volume likely will be significant.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon.

Whereas a small team today might work through a handful of cases a week, AI-assisted workflows could push that into the dozens. Multiply that across institutions already inclined to file rather than miss something, and the result is a coming surge in SARs volume that could play out over the next two to four years.

“Agentic AI has the potential to be a game changer on how we do our work,鈥� Richards explains. 鈥淏ut I believe it’ll guarantee that there will be more SARs filed and not necessarily better and fewer SARs filed.” Indeed, the critical point for the financial crime community to internalize is exactly that.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon. Once the largest institutions adopt agentic AI as a best practice, others will follow quickly, and regulators will likely be several steps behind.

The value question can’t wait

The has been in place since 2014. Yet after 12 years of filings, the financial crime community still lacks a clear public accounting of whether that data has produced actionable law enforcement outcomes.

So, the question Richards is asking is one the entire industry should be asking: “Has anybody asked law enforcement?”

This question reflects a larger challenge that the industry needs to confront more aggressively, especially as AI technology is set to dramatically increase filing volume across the board. Increasing the volume without improving how the information is used does not represent progress. If SARs are not generating real investigative value, the solution is not to file more of them faster 鈥� instead, the pipeline should be fixed before it grows any bigger.

You can find more about the challenges that financial institutions face in managing SARs here

Key insights:

• • • Convenience has outpaced consumer understanding 鈥斕齅any users treat apps, prepaid accounts, and rewards programs as simple payment tools, remaining unaware they are entrusting their money to entities with few safeguards.

    • Risk is no longer confined to traditional banks 鈥� Some of the most significant financial activities now occur within platforms and brands that do not resemble banks at all.

    • Opacity enables systemic vulnerability 鈥� The less transparent an institution’s obligations, leverage, and oversight, the easier it is for financial fragility, misconduct, and systemic risk to grow unchecked.

When you think of where money is held, you generally think of a bank. However, as we look at the financial landscape today, money is being held at a wide range of institutions that often have varying levels of safety and oversight. Entities from Starbucks to Visa to Coinbase hold money for individuals, effectively serving as a bank, but often without the regulatory framework that comes with it.

Behind the scenes, it can seem like . In its daily operation, it collects prepaid funds that resemble deposits, holds them as liabilities, and uses them internally 鈥� all without offering interest, cash withdrawals, or FDIC insurance. Starbucks’ rewards program holds $1.8 billion in customer cash, and if it were a bank, that would make it bigger, , than 85% of chartered banks, making the coffee chain one of the .

This dynamic extends well beyond coffee shops. “Popular digital payment apps are increasingly used as substitutes for a traditional bank or credit union account but lack the same protections to ensure that funds are safe,” warns the . If a nonbank payment app’s business fails, your money is likely lost or tied up in a long bankruptcy process.

Shadow banking

Think of a Starbucks gift card as a financial instrument. Technically it is one, but no one seriously worries about it being weaponized for any large-scale financial crimes. Most people鈥檚 concerns about a gift card is either losing it. The real concern lies not in lost gift cards, however, but in the broader trend: Nonbank institutions managing vast sums without commensurate oversight 鈥� and scale matters. A lost gift card is a personal inconvenience; but an unregulated institution managing billions of consumer dollars in leveraged capital is a systemic one.

Shadow banking encompasses credit and lending activities by institutions that are not traditional banks, and crucially, they do not have access to central bank funding or public sector credit guarantees. And because they are not subject to the same prudential regulations as depository banks, they do not need to hold as high financial reserves relative to their market exposure, allowing for very high levels of leverage which in turn can magnify profits during boom periods and compound losses during downturns.

The shadow banking ecosystem is diverse, and each segment of it presents distinct risks:

• • Hedge funds and private equity firms听鈥� Firms like Blackstone, KKR, and Apollo manage vast capital pools using leveraged strategies under limited oversight. Their size and borrowing levels may mean that market reversals can trigger rapid deleveraging, spilling risk into broader markets.
  • Family offices听鈥� A private company or advisory firm that manages the wealth of high-net-worth families, these can operate with even less transparency and often outside direct regulatory scrutiny, enabling them to engage in extreme leveraging and posing risks of sudden collapse.
  • Nonbank mortgage lenders and FinTechs听鈥� This group faces lower capital requirements than traditional banks, leaving thinner buffers to absorb losses during downturns, which can be especially concerning considering this sector鈥檚 rapid growth.
  • Crypto exchanges听鈥� Like much of the cryptocurrency ecosystem, these exchanges operate in jurisdictional gray zones, complicating enforcement and enabling illicit financial flows.
  • Money market funds 鈥� While these are generally perceived as safe, they can suffer runs if confidence in underlying assets erodes, which can force fire sales that destabilize related markets.
  • Special Purpose Vehicles (SPVs) and Structured Investment Vehicles (SIVs)听鈥� These investment instruments allow large institutions to move risk off their balance sheets, rendering such activity invisible to regulators.

Shadow banking may be the single greatest challenge facing financial regulation. These non-traditional institutions act like banks, but without the safeguards that make banks accountable. And where accountability is absent, opportunity often fills the void.

The same opacity that makes shadow banking difficult to regulate also makes it attractive to those with less legitimate intentions. Without mandatory reporting requirements, standardized oversight, or the threat of deposit insurance revocation, these institutions can become conduits for money laundering, fraud, terrorist financing, and sanctions evasion in ways that traditional banks simply cannot. The question is no longer whether these vulnerabilities exist, but how they continue to be exploited.

The challenge of regulation

The global financial system has always evolved faster than the rules designed to govern it. What began as a coffee loyalty program and a few alternative lending platforms has quietly morphed into a parallel financial universe, one that moves trillions of dollars with a fraction of the transparency that traditional banking requires. That gap between innovation and oversight is not just a regulatory inconvenience, it鈥檚 an open door for illicit actors.

Closing that door will require more than periodic enforcement actions or piecemeal legislation. It will require regulators, lawmakers, and institutions to reckon honestly with how broadly the definition of a financial institution has expanded, and who bears the risk when things go wrong. Because historically, it has not been the institutions themselves; rather it has been the customers, the investors, and ultimately the public.

The first step, of course, is awareness. Recognizing that your money does not need to be in a bank to be at risk and that the custodians of that money need not be offshore shell companies to operate in shadows, can transform how we think about financial safety.

The line between a convenient app and an unaccountable financial intermediary is thinner than most realize. And in the world of financial crime, thin lines have a way of vanishing entirely.

You can learn more about the听many challenges facing financial institutions today听here

Key insights:

• • • Geopolitical crises fuel financial volatility and illicit activity 鈥� Conflicts have traditionally accelerated capital shifts and flows, creating cover for bad actors.

    • Predictable patterns emerge 鈥� Financial institutions should watch for sudden cross-border activity, unusual cash deposits, and transactions from border areas.

    • Conflict zones enable black market expansion 鈥� They also should adapt their compliance systems to detect more sophisticated methods used by criminals, tightening screening and enhancing staff training.

While business and international politics may appear cold and calculating, these things are often driven by emotion, especially fear 鈥� and fear of instability often drives market volatility.

So it goes as the United States attacks one of the world’s largest militaries and supporters of regional terror groups, causing deepening instability in a Middle East already beset by violence. It is certain that there is already a surge of money flowing in and out of the region for different reasons. Legitimate and illegitimate actors alike will seek to both run away from the crisis and profit from it. However, there are some anti-money laundering specific thoughts that financial institutions need to consider during a time of global uncertainty.

The bottom line 鈥� lots of money is on the move. Funding will send aid groups towards the crisis; it will also send logistical supplies, war material, and other necessities. All of these cost money, and defense sectors in multiple countries will be pumping out munitions to refill stockpiles in any country that is related to or in the neighborhood of the conflict.

Not every large transaction is an unusual, reportable event, but financial institutions now need to look one or two layers below the surface. What does not seem related on the surface is always a red flag. Look at beneficial ownership of companies and vessels, look at relations of the owners, not just the 听(OFAC) results of those people themselves. The financial system will, and should, allow the legitimate funds to flow. However, financial investigators must remain diligent to catch bad actors that take advantage of the surge in non-profit activity or the urgency with which legitimate businesses operate in a conflict zone.

Risk Factor 1: Capital flight from regime change

Just as the fall of the Al-Assad regime in Syria caused family funds to flow to as regime members fled the country, you will see the same with politically exposed persons (PEPs) who are inevitably fleeing regime change in Iran. A political crackdown will come. Whether the victors are on the side of the West or not remains to be seen, but some factions are going to flee the country and take family wealth with them.

Banks and other financial services should watch for anyone connected to people moving money through neighboring countries in which they may have literally hiked or driven before depositing cash into a financial institution. There are stories of refugees leaving places with gold bands on their arms, cash and false bottom purses, and diamonds in the lining of sweaters. These things will be converted to cash in neighboring countries and put into financial systems less affected by the conflict. An influx of cash throughout the region, therefore, could indicate this type of capital flight.

Risk Factor 2: Illicit finance and black markets

Since the fall of Syria, we have also become aware of that helps fuel addiction and armed conflict. There are certainly other substances and drug trafficking networks about which we know very little on this side of the secrecy veil.

Therefore, this instability will be seen as a time of opportunity for criminal groups. Indeed, with Assad鈥檚 security forces no longer controlling middle eastern captagon and other narcotics trade and various armed groups looking for funding sources, this is an illicit business opportunity.

Financial institutions can expect rapid movement of money between unrelated shell corporations, new corporations, and shadow vessels. They also should expect the black market to boom with drugs, contraband Iranian oil, and funds tied to narcotics that they have only yet to discover. Illegal arms will also generate funding, so all of the methods, both formal and informal, used to transfer value will become active.

In fact, large portions of such funding will flow through financial institutions; and peer to peer payment providers, FinTechs, and money transmitters should be especially wary of funds moving rapidly through their platforms. A burst in conflict means a burst in activity from illicit sources; therefore, enhanced, targeted monitoring is a must.

How financial institutions鈥� risk & compliance teams should respond

First, all financial institutions鈥� risk & compliance departments need to assess their institutions鈥� OFAC and sanctions screening search parameters. This is a good time to dial up fuzzy logic capability and reduce match percentage thresholds. In other words, risk tolerance should go down while the metaphorical dragnet gets wider. Surge the department鈥檚 personnel capability to compensate if you have to, because that is better than a strict-liability OFAC fine. Remember, OFAC sanctions are closely tied to national security, especially when it comes to Iran. This is not an arena in which leniency can be expected. Compliance teams should look at monitoring systems and thresholds immediately, create geographical targeting models to cover the conflict zone, and consider a command center approach to deal with the fluidity of the situation until things settle.

If your institution has not already taken the hint from regulators, this also is an opportunity to double down on Customer Due Diligence and identity verification. Front line staff and embedded business compliance personnel should receive updated training and job aids to increase awareness and hone internal reporting. Indeed, it is an advanced business skill to understand complex corporate beneficial ownership, much less to detect when it may be tied to illicit activity or corrupt regimes. Now is the time to increase that level of knowledge and thereby make the culture of compliance more robust.

In every crisis there is opportunity as well as risk: Managing the risk allows every company to take advantage of the opportunity, shore up its mission, and strengthen the institution.

You can find out more about听the geopolitical and economic outlook for 2026听here

Key insights:

• • • AI scales deception 鈥� Fraudsters automate convincing scams, create synthetic identities, and overwhelm legacy controls, making AI an essential part of financial institutions鈥� anti-fraud solution.

    • “All-green” fraud is rising 鈥� The biggest losses often happen in correctly authenticated sessions, making them much harder to detect.

    • Behavior plus collaboration wins 鈥� Financial institutions need to shift from point-in-time checks to real-time, cross-channel behavioral signals and tighter inter-institution cooperation to spot coordinated campaigns and reduce friction without stalling growth.

How financial institutions are facing fraud in 2026 isn’t what it was like even two years ago. AI has industrialized deception, synthetic identities bypass traditional checks, and scams manipulate legitimate customers into moving their own money even as every security control shows green.

Today, financial institutions face a perfect storm, according to Michal Tresner, CEO of ThreatMark, and Sara听Seguin the Director听of听Enterprise Banking at Alloy. Indeed, they鈥檙e trying to manage attacks that scale automatically, identities that look real but aren’t, and victims who authenticate correctly before being convinced to hand over funds.

5 trends financial institutions need to understand in 2026

Looking at each of these five key challenges individually can offer both perspective and possible solutions.

1. The AI threat multiplier

Generative AI (GenAI) and large language models (LLMs) have fundamentally changed the fraud landscape. “AI is now the biggest threat facing financial institutions in 2026,” Tresner notes, adding that fraudsters are leveraging these technologies to create highly convincing content while automating attacks at unprecedented scale 鈥� a combination that overwhelms traditional security systems.

Seguin agrees and confirms this trend is . “Financial institutions are seeing a measurable increase in AI-enabled financial crimes, while consumers increasingly expect banks to deploy AI-based security in response,鈥� she explains. The reality is stark: AI has become an essential tool for both fraudsters and those fighting against them.

2. The onboarding dilemma

In another area, the account opening process represents a critical vulnerability. Seguin points to rising first-party fraud and scams as particularly challenging because perpetrators often appear indistinguishable from legitimate customers going through the onboarding process. “A person may open an account with seemingly normal intentions 鈥� direct deposit or everyday banking 鈥� only to later engage in fraudulent activity,” she explains.

Onboarding is where institutions have the least certainty about either the authenticity of the identity or the legitimacy of the intent.

Tresner identifies a related threat: Synthetic identities. “Rather than stealing real identities, fraudsters now generate convincing fake ones, complete with realistic identity documents and even AI-generated images or video,” he says, noting that these synthetic identity accounts are exploding and frequently serve as infrastructure for moving stolen funds.

The common thread is that onboarding is where institutions have the least certainty about either the authenticity of the identity or the legitimacy of the intent.

3. Authentication under siege

Similarly, and even as financial institutions work to strengthen onboarding controls, account takeover remains a persistent threat. Fraudsters are now using AI to bypass authentication mechanisms at scale, making previously reliable security gates less trustworthy, Tresner explains. 鈥淪uccessful authentication can no longer serve as a definitive indicator of safety.鈥�

Indeed, a properly authenticated session may still be the entry point for fraud, whether committed by an intruder or through a legitimate customer who is being manipulated.

4. The “all green” problem

Which brings us to another fraud scenario faced increasingly by financial institutions, and one that Tresner says may be 2026’s most operationally challenging issue 鈥� the fact that many scams don’t trigger traditional fraud controls. When the legitimate account holder initiates a transaction from their usual device and location using correct credentials, every standard check appears normal. The difference is the persuasion happening on the other side as fraudsters convince victims they’re interacting with trusted entities like banks, law enforcement, or romantic partners, and then direct them to transfer money.

Seguin notes that detecting these scenarios requires new approaches, such as identifying subtle behavioral signals like hesitation immediately before a money transfer. “Traditional device and credential checks won’t help when the customer is genuinely authenticated but acting under manipulation,” she explains.

5. Fraud as an industrial operation

Tresner emphasizes that modern fraud is not a series of isolated events but a coordinated, multi-step operation. Campaigns typically begin with establishing or compromising mule accounts, then deploying automated phishing kits to harvest personal data.

Younger users represent a growing target due to their online activity and platform usage, and the emergence of human trafficking-linked fraud operations has worsened this problem.

Not surprisingly, younger users represent a growing target due to their online activity and platform usage, Seguin says, adding that the emergence of human trafficking-linked fraud operations, including sextortion and overseas scam compounds, has worsened this problem.

What works in 2026

Tresner’s core recommendation for fraud investigators in financial institutions is for them to shift their focus from static, point-in-time checks to behavior-based detection. “Behavior profiling and analytics across channels can identify sophisticated actors and manipulation patterns invisible in single transactions or logins,” he explains, stressing that real-time cooperation among financial institutions is critical because fraudsters collaborate, and isolated defenses are insufficient.

Further, Seguin reframes fraud prevention as a growth enabler. “Effective risk controls allow institutions to launch products faster, set higher transaction limits with confidence, and avoid overly restrictive policies driven by fraud concerns,” she notes. Indeed, modern fraud defense isn’t just about reducing losses but about enabling safe expansion.

The 2026 fraud landscape presents compounding challenges: AI-driven scale and realism, onboarding uncertainty from synthetic identities and hidden intent, weakening authentication boundaries, scams that produce legitimate-looking transactions, and industrialized fraud operations that can span channels and institutions. Success in this area requires financial institutions to treat fraud as a behavioral, multi-channel, collaborative challenge because that’s exactly how their adversaries are operating.

You can learn more about the many challenges facing financial institutions today here